2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
43 #define LE_FLOWCTL_MAX_CREDITS 65535
46 bool enable_ecred = IS_ENABLED(CONFIG_BT_LE_L2CAP_ECRED);
48 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
50 static LIST_HEAD(chan_list);
51 static DEFINE_RWLOCK(chan_list_lock);
53 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
54 u8 code, u8 ident, u16 dlen, void *data);
55 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
57 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
58 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
60 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
61 struct sk_buff_head *skbs, u8 event);
62 static void l2cap_retrans_timeout(struct work_struct *work);
63 static void l2cap_monitor_timeout(struct work_struct *work);
64 static void l2cap_ack_timeout(struct work_struct *work);
66 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
68 if (link_type == LE_LINK) {
69 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
72 return BDADDR_LE_RANDOM;
78 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
80 return bdaddr_type(hcon->type, hcon->src_type);
83 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
85 return bdaddr_type(hcon->type, hcon->dst_type);
88 /* ---- L2CAP channels ---- */
90 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
95 list_for_each_entry(c, &conn->chan_l, list) {
102 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
105 struct l2cap_chan *c;
107 list_for_each_entry(c, &conn->chan_l, list) {
114 /* Find channel with given SCID.
115 * Returns a reference locked channel.
117 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
120 struct l2cap_chan *c;
122 mutex_lock(&conn->chan_lock);
123 c = __l2cap_get_chan_by_scid(conn, cid);
125 /* Only lock if chan reference is not 0 */
126 c = l2cap_chan_hold_unless_zero(c);
130 mutex_unlock(&conn->chan_lock);
135 /* Find channel with given DCID.
136 * Returns a reference locked channel.
138 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
141 struct l2cap_chan *c;
143 mutex_lock(&conn->chan_lock);
144 c = __l2cap_get_chan_by_dcid(conn, cid);
146 /* Only lock if chan reference is not 0 */
147 c = l2cap_chan_hold_unless_zero(c);
151 mutex_unlock(&conn->chan_lock);
156 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
159 struct l2cap_chan *c;
161 list_for_each_entry(c, &conn->chan_l, list) {
162 if (c->ident == ident)
168 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
171 struct l2cap_chan *c;
173 list_for_each_entry(c, &chan_list, global_l) {
174 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
177 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
180 if (c->sport == psm && !bacmp(&c->src, src))
186 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
190 write_lock(&chan_list_lock);
192 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
202 u16 p, start, end, incr;
204 if (chan->src_type == BDADDR_BREDR) {
205 start = L2CAP_PSM_DYN_START;
206 end = L2CAP_PSM_AUTO_END;
209 start = L2CAP_PSM_LE_DYN_START;
210 end = L2CAP_PSM_LE_DYN_END;
215 for (p = start; p <= end; p += incr)
216 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
218 chan->psm = cpu_to_le16(p);
219 chan->sport = cpu_to_le16(p);
226 write_unlock(&chan_list_lock);
229 EXPORT_SYMBOL_GPL(l2cap_add_psm);
231 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
233 write_lock(&chan_list_lock);
235 /* Override the defaults (which are for conn-oriented) */
236 chan->omtu = L2CAP_DEFAULT_MTU;
237 chan->chan_type = L2CAP_CHAN_FIXED;
241 write_unlock(&chan_list_lock);
246 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
250 if (conn->hcon->type == LE_LINK)
251 dyn_end = L2CAP_CID_LE_DYN_END;
253 dyn_end = L2CAP_CID_DYN_END;
255 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
256 if (!__l2cap_get_chan_by_scid(conn, cid))
263 static void l2cap_state_change(struct l2cap_chan *chan, int state)
265 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
266 state_to_string(state));
269 chan->ops->state_change(chan, state, 0);
272 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
276 chan->ops->state_change(chan, chan->state, err);
279 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
281 chan->ops->state_change(chan, chan->state, err);
284 static void __set_retrans_timer(struct l2cap_chan *chan)
286 if (!delayed_work_pending(&chan->monitor_timer) &&
287 chan->retrans_timeout) {
288 l2cap_set_timer(chan, &chan->retrans_timer,
289 msecs_to_jiffies(chan->retrans_timeout));
293 static void __set_monitor_timer(struct l2cap_chan *chan)
295 __clear_retrans_timer(chan);
296 if (chan->monitor_timeout) {
297 l2cap_set_timer(chan, &chan->monitor_timer,
298 msecs_to_jiffies(chan->monitor_timeout));
302 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
307 skb_queue_walk(head, skb) {
308 if (bt_cb(skb)->l2cap.txseq == seq)
315 /* ---- L2CAP sequence number lists ---- */
317 /* For ERTM, ordered lists of sequence numbers must be tracked for
318 * SREJ requests that are received and for frames that are to be
319 * retransmitted. These seq_list functions implement a singly-linked
320 * list in an array, where membership in the list can also be checked
321 * in constant time. Items can also be added to the tail of the list
322 * and removed from the head in constant time, without further memory
326 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
328 size_t alloc_size, i;
330 /* Allocated size is a power of 2 to map sequence numbers
331 * (which may be up to 14 bits) in to a smaller array that is
332 * sized for the negotiated ERTM transmit windows.
334 alloc_size = roundup_pow_of_two(size);
336 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
340 seq_list->mask = alloc_size - 1;
341 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
342 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
343 for (i = 0; i < alloc_size; i++)
344 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
349 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
351 kfree(seq_list->list);
354 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
357 /* Constant-time check for list membership */
358 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
361 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
363 u16 seq = seq_list->head;
364 u16 mask = seq_list->mask;
366 seq_list->head = seq_list->list[seq & mask];
367 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
369 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
370 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
371 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
377 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
381 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
384 for (i = 0; i <= seq_list->mask; i++)
385 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
387 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
388 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
391 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
393 u16 mask = seq_list->mask;
395 /* All appends happen in constant time */
397 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
400 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
401 seq_list->head = seq;
403 seq_list->list[seq_list->tail & mask] = seq;
405 seq_list->tail = seq;
406 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
409 static void l2cap_chan_timeout(struct work_struct *work)
411 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
413 struct l2cap_conn *conn = chan->conn;
416 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
418 mutex_lock(&conn->chan_lock);
419 /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
420 * this work. No need to call l2cap_chan_hold(chan) here again.
422 l2cap_chan_lock(chan);
424 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
425 reason = ECONNREFUSED;
426 else if (chan->state == BT_CONNECT &&
427 chan->sec_level != BT_SECURITY_SDP)
428 reason = ECONNREFUSED;
432 l2cap_chan_close(chan, reason);
434 chan->ops->close(chan);
436 l2cap_chan_unlock(chan);
437 l2cap_chan_put(chan);
439 mutex_unlock(&conn->chan_lock);
442 struct l2cap_chan *l2cap_chan_create(void)
444 struct l2cap_chan *chan;
446 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
450 skb_queue_head_init(&chan->tx_q);
451 skb_queue_head_init(&chan->srej_q);
452 mutex_init(&chan->lock);
454 /* Set default lock nesting level */
455 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
457 write_lock(&chan_list_lock);
458 list_add(&chan->global_l, &chan_list);
459 write_unlock(&chan_list_lock);
461 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
462 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
463 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
464 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
466 chan->state = BT_OPEN;
468 kref_init(&chan->kref);
470 /* This flag is cleared in l2cap_chan_ready() */
471 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
473 BT_DBG("chan %p", chan);
477 EXPORT_SYMBOL_GPL(l2cap_chan_create);
479 static void l2cap_chan_destroy(struct kref *kref)
481 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
483 BT_DBG("chan %p", chan);
485 write_lock(&chan_list_lock);
486 list_del(&chan->global_l);
487 write_unlock(&chan_list_lock);
492 void l2cap_chan_hold(struct l2cap_chan *c)
494 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
499 struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c)
501 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
503 if (!kref_get_unless_zero(&c->kref))
509 void l2cap_chan_put(struct l2cap_chan *c)
511 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
513 kref_put(&c->kref, l2cap_chan_destroy);
515 EXPORT_SYMBOL_GPL(l2cap_chan_put);
517 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
519 chan->fcs = L2CAP_FCS_CRC16;
520 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
521 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
522 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
523 chan->remote_max_tx = chan->max_tx;
524 chan->remote_tx_win = chan->tx_win;
525 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
526 chan->sec_level = BT_SECURITY_LOW;
527 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
528 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
529 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
531 chan->conf_state = 0;
532 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
534 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
536 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
538 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
541 chan->sdu_last_frag = NULL;
543 chan->tx_credits = tx_credits;
544 /* Derive MPS from connection MTU to stop HCI fragmentation */
545 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
546 /* Give enough credits for a full packet */
547 chan->rx_credits = (chan->imtu / chan->mps) + 1;
549 skb_queue_head_init(&chan->tx_q);
552 static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
554 l2cap_le_flowctl_init(chan, tx_credits);
556 /* L2CAP implementations shall support a minimum MPS of 64 octets */
557 if (chan->mps < L2CAP_ECRED_MIN_MPS) {
558 chan->mps = L2CAP_ECRED_MIN_MPS;
559 chan->rx_credits = (chan->imtu / chan->mps) + 1;
563 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
565 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
566 __le16_to_cpu(chan->psm), chan->dcid);
568 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
572 switch (chan->chan_type) {
573 case L2CAP_CHAN_CONN_ORIENTED:
574 /* Alloc CID for connection-oriented socket */
575 chan->scid = l2cap_alloc_cid(conn);
576 if (conn->hcon->type == ACL_LINK)
577 chan->omtu = L2CAP_DEFAULT_MTU;
580 case L2CAP_CHAN_CONN_LESS:
581 /* Connectionless socket */
582 chan->scid = L2CAP_CID_CONN_LESS;
583 chan->dcid = L2CAP_CID_CONN_LESS;
584 chan->omtu = L2CAP_DEFAULT_MTU;
587 case L2CAP_CHAN_FIXED:
588 /* Caller will set CID and CID specific MTU values */
592 /* Raw socket can send/recv signalling messages only */
593 chan->scid = L2CAP_CID_SIGNALING;
594 chan->dcid = L2CAP_CID_SIGNALING;
595 chan->omtu = L2CAP_DEFAULT_MTU;
598 chan->local_id = L2CAP_BESTEFFORT_ID;
599 chan->local_stype = L2CAP_SERV_BESTEFFORT;
600 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
601 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
602 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
603 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
605 l2cap_chan_hold(chan);
607 /* Only keep a reference for fixed channels if they requested it */
608 if (chan->chan_type != L2CAP_CHAN_FIXED ||
609 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
610 hci_conn_hold(conn->hcon);
612 list_add(&chan->list, &conn->chan_l);
615 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
617 mutex_lock(&conn->chan_lock);
618 __l2cap_chan_add(conn, chan);
619 mutex_unlock(&conn->chan_lock);
622 void l2cap_chan_del(struct l2cap_chan *chan, int err)
624 struct l2cap_conn *conn = chan->conn;
626 __clear_chan_timer(chan);
628 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
629 state_to_string(chan->state));
631 chan->ops->teardown(chan, err);
634 /* Delete from channel list */
635 list_del(&chan->list);
637 l2cap_chan_put(chan);
641 /* Reference was only held for non-fixed channels or
642 * fixed channels that explicitly requested it using the
643 * FLAG_HOLD_HCI_CONN flag.
645 if (chan->chan_type != L2CAP_CHAN_FIXED ||
646 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
647 hci_conn_drop(conn->hcon);
650 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
653 switch (chan->mode) {
654 case L2CAP_MODE_BASIC:
657 case L2CAP_MODE_LE_FLOWCTL:
658 case L2CAP_MODE_EXT_FLOWCTL:
659 skb_queue_purge(&chan->tx_q);
662 case L2CAP_MODE_ERTM:
663 __clear_retrans_timer(chan);
664 __clear_monitor_timer(chan);
665 __clear_ack_timer(chan);
667 skb_queue_purge(&chan->srej_q);
669 l2cap_seq_list_free(&chan->srej_list);
670 l2cap_seq_list_free(&chan->retrans_list);
673 case L2CAP_MODE_STREAMING:
674 skb_queue_purge(&chan->tx_q);
678 EXPORT_SYMBOL_GPL(l2cap_chan_del);
680 static void __l2cap_chan_list_id(struct l2cap_conn *conn, u16 id,
681 l2cap_chan_func_t func, void *data)
683 struct l2cap_chan *chan, *l;
685 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
686 if (chan->ident == id)
691 static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
694 struct l2cap_chan *chan;
696 list_for_each_entry(chan, &conn->chan_l, list) {
701 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
707 mutex_lock(&conn->chan_lock);
708 __l2cap_chan_list(conn, func, data);
709 mutex_unlock(&conn->chan_lock);
712 EXPORT_SYMBOL_GPL(l2cap_chan_list);
714 static void l2cap_conn_update_id_addr(struct work_struct *work)
716 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
718 struct hci_conn *hcon = conn->hcon;
719 struct l2cap_chan *chan;
721 mutex_lock(&conn->chan_lock);
723 list_for_each_entry(chan, &conn->chan_l, list) {
724 l2cap_chan_lock(chan);
725 bacpy(&chan->dst, &hcon->dst);
726 chan->dst_type = bdaddr_dst_type(hcon);
727 l2cap_chan_unlock(chan);
730 mutex_unlock(&conn->chan_lock);
733 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
735 struct l2cap_conn *conn = chan->conn;
736 struct l2cap_le_conn_rsp rsp;
739 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
740 result = L2CAP_CR_LE_AUTHORIZATION;
742 result = L2CAP_CR_LE_BAD_PSM;
744 l2cap_state_change(chan, BT_DISCONN);
746 rsp.dcid = cpu_to_le16(chan->scid);
747 rsp.mtu = cpu_to_le16(chan->imtu);
748 rsp.mps = cpu_to_le16(chan->mps);
749 rsp.credits = cpu_to_le16(chan->rx_credits);
750 rsp.result = cpu_to_le16(result);
752 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
756 static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
758 l2cap_state_change(chan, BT_DISCONN);
760 __l2cap_ecred_conn_rsp_defer(chan);
763 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
765 struct l2cap_conn *conn = chan->conn;
766 struct l2cap_conn_rsp rsp;
769 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
770 result = L2CAP_CR_SEC_BLOCK;
772 result = L2CAP_CR_BAD_PSM;
774 l2cap_state_change(chan, BT_DISCONN);
776 rsp.scid = cpu_to_le16(chan->dcid);
777 rsp.dcid = cpu_to_le16(chan->scid);
778 rsp.result = cpu_to_le16(result);
779 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
781 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
784 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
786 struct l2cap_conn *conn = chan->conn;
788 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
790 switch (chan->state) {
792 chan->ops->teardown(chan, 0);
797 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
798 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
799 l2cap_send_disconn_req(chan, reason);
801 l2cap_chan_del(chan, reason);
805 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
806 if (conn->hcon->type == ACL_LINK)
807 l2cap_chan_connect_reject(chan);
808 else if (conn->hcon->type == LE_LINK) {
809 switch (chan->mode) {
810 case L2CAP_MODE_LE_FLOWCTL:
811 l2cap_chan_le_connect_reject(chan);
813 case L2CAP_MODE_EXT_FLOWCTL:
814 l2cap_chan_ecred_connect_reject(chan);
820 l2cap_chan_del(chan, reason);
825 l2cap_chan_del(chan, reason);
829 chan->ops->teardown(chan, 0);
833 EXPORT_SYMBOL(l2cap_chan_close);
835 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
837 switch (chan->chan_type) {
839 switch (chan->sec_level) {
840 case BT_SECURITY_HIGH:
841 case BT_SECURITY_FIPS:
842 return HCI_AT_DEDICATED_BONDING_MITM;
843 case BT_SECURITY_MEDIUM:
844 return HCI_AT_DEDICATED_BONDING;
846 return HCI_AT_NO_BONDING;
849 case L2CAP_CHAN_CONN_LESS:
850 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
851 if (chan->sec_level == BT_SECURITY_LOW)
852 chan->sec_level = BT_SECURITY_SDP;
854 if (chan->sec_level == BT_SECURITY_HIGH ||
855 chan->sec_level == BT_SECURITY_FIPS)
856 return HCI_AT_NO_BONDING_MITM;
858 return HCI_AT_NO_BONDING;
860 case L2CAP_CHAN_CONN_ORIENTED:
861 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
862 if (chan->sec_level == BT_SECURITY_LOW)
863 chan->sec_level = BT_SECURITY_SDP;
865 if (chan->sec_level == BT_SECURITY_HIGH ||
866 chan->sec_level == BT_SECURITY_FIPS)
867 return HCI_AT_NO_BONDING_MITM;
869 return HCI_AT_NO_BONDING;
874 switch (chan->sec_level) {
875 case BT_SECURITY_HIGH:
876 case BT_SECURITY_FIPS:
877 return HCI_AT_GENERAL_BONDING_MITM;
878 case BT_SECURITY_MEDIUM:
879 return HCI_AT_GENERAL_BONDING;
881 return HCI_AT_NO_BONDING;
887 /* Service level security */
888 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
890 struct l2cap_conn *conn = chan->conn;
893 if (conn->hcon->type == LE_LINK)
894 return smp_conn_security(conn->hcon, chan->sec_level);
896 auth_type = l2cap_get_auth_type(chan);
898 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
902 static u8 l2cap_get_ident(struct l2cap_conn *conn)
906 /* Get next available identificator.
907 * 1 - 128 are used by kernel.
908 * 129 - 199 are reserved.
909 * 200 - 254 are used by utilities like l2ping, etc.
912 mutex_lock(&conn->ident_lock);
914 if (++conn->tx_ident > 128)
919 mutex_unlock(&conn->ident_lock);
924 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
927 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
930 BT_DBG("code 0x%2.2x", code);
935 /* Use NO_FLUSH if supported or we have an LE link (which does
936 * not support auto-flushing packets) */
937 if (lmp_no_flush_capable(conn->hcon->hdev) ||
938 conn->hcon->type == LE_LINK)
939 flags = ACL_START_NO_FLUSH;
943 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
944 skb->priority = HCI_PRIO_MAX;
946 hci_send_acl(conn->hchan, skb, flags);
949 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
951 struct hci_conn *hcon = chan->conn->hcon;
954 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
957 /* Use NO_FLUSH for LE links (where this is the only option) or
958 * if the BR/EDR link supports it and flushing has not been
959 * explicitly requested (through FLAG_FLUSHABLE).
961 if (hcon->type == LE_LINK ||
962 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
963 lmp_no_flush_capable(hcon->hdev)))
964 flags = ACL_START_NO_FLUSH;
968 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
969 hci_send_acl(chan->conn->hchan, skb, flags);
972 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
974 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
975 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
977 if (enh & L2CAP_CTRL_FRAME_TYPE) {
980 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
981 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
988 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
989 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
996 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
998 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
999 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
1001 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
1003 control->sframe = 1;
1004 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
1005 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
1011 control->sframe = 0;
1012 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
1013 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1020 static inline void __unpack_control(struct l2cap_chan *chan,
1021 struct sk_buff *skb)
1023 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1024 __unpack_extended_control(get_unaligned_le32(skb->data),
1025 &bt_cb(skb)->l2cap);
1026 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
1028 __unpack_enhanced_control(get_unaligned_le16(skb->data),
1029 &bt_cb(skb)->l2cap);
1030 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
1034 static u32 __pack_extended_control(struct l2cap_ctrl *control)
1038 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1039 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
1041 if (control->sframe) {
1042 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
1043 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
1044 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
1046 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
1047 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1053 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1057 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1058 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1060 if (control->sframe) {
1061 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1062 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1063 packed |= L2CAP_CTRL_FRAME_TYPE;
1065 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1066 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1072 static inline void __pack_control(struct l2cap_chan *chan,
1073 struct l2cap_ctrl *control,
1074 struct sk_buff *skb)
1076 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1077 put_unaligned_le32(__pack_extended_control(control),
1078 skb->data + L2CAP_HDR_SIZE);
1080 put_unaligned_le16(__pack_enhanced_control(control),
1081 skb->data + L2CAP_HDR_SIZE);
1085 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1087 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1088 return L2CAP_EXT_HDR_SIZE;
1090 return L2CAP_ENH_HDR_SIZE;
1093 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1096 struct sk_buff *skb;
1097 struct l2cap_hdr *lh;
1098 int hlen = __ertm_hdr_size(chan);
1100 if (chan->fcs == L2CAP_FCS_CRC16)
1101 hlen += L2CAP_FCS_SIZE;
1103 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1106 return ERR_PTR(-ENOMEM);
1108 lh = skb_put(skb, L2CAP_HDR_SIZE);
1109 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1110 lh->cid = cpu_to_le16(chan->dcid);
1112 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1113 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1115 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1117 if (chan->fcs == L2CAP_FCS_CRC16) {
1118 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1119 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1122 skb->priority = HCI_PRIO_MAX;
1126 static void l2cap_send_sframe(struct l2cap_chan *chan,
1127 struct l2cap_ctrl *control)
1129 struct sk_buff *skb;
1132 BT_DBG("chan %p, control %p", chan, control);
1134 if (!control->sframe)
1137 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1141 if (control->super == L2CAP_SUPER_RR)
1142 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1143 else if (control->super == L2CAP_SUPER_RNR)
1144 set_bit(CONN_RNR_SENT, &chan->conn_state);
1146 if (control->super != L2CAP_SUPER_SREJ) {
1147 chan->last_acked_seq = control->reqseq;
1148 __clear_ack_timer(chan);
1151 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1152 control->final, control->poll, control->super);
1154 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1155 control_field = __pack_extended_control(control);
1157 control_field = __pack_enhanced_control(control);
1159 skb = l2cap_create_sframe_pdu(chan, control_field);
1161 l2cap_do_send(chan, skb);
1164 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1166 struct l2cap_ctrl control;
1168 BT_DBG("chan %p, poll %d", chan, poll);
1170 memset(&control, 0, sizeof(control));
1172 control.poll = poll;
1174 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1175 control.super = L2CAP_SUPER_RNR;
1177 control.super = L2CAP_SUPER_RR;
1179 control.reqseq = chan->buffer_seq;
1180 l2cap_send_sframe(chan, &control);
1183 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1185 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1188 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1191 void l2cap_send_conn_req(struct l2cap_chan *chan)
1193 struct l2cap_conn *conn = chan->conn;
1194 struct l2cap_conn_req req;
1196 req.scid = cpu_to_le16(chan->scid);
1197 req.psm = chan->psm;
1199 chan->ident = l2cap_get_ident(conn);
1201 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1203 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1206 static void l2cap_chan_ready(struct l2cap_chan *chan)
1208 /* The channel may have already been flagged as connected in
1209 * case of receiving data before the L2CAP info req/rsp
1210 * procedure is complete.
1212 if (chan->state == BT_CONNECTED)
1215 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1216 chan->conf_state = 0;
1217 __clear_chan_timer(chan);
1219 switch (chan->mode) {
1220 case L2CAP_MODE_LE_FLOWCTL:
1221 case L2CAP_MODE_EXT_FLOWCTL:
1222 if (!chan->tx_credits)
1223 chan->ops->suspend(chan);
1227 chan->state = BT_CONNECTED;
1229 chan->ops->ready(chan);
1232 static void l2cap_le_connect(struct l2cap_chan *chan)
1234 struct l2cap_conn *conn = chan->conn;
1235 struct l2cap_le_conn_req req;
1237 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1241 chan->imtu = chan->conn->mtu;
1243 l2cap_le_flowctl_init(chan, 0);
1245 memset(&req, 0, sizeof(req));
1246 req.psm = chan->psm;
1247 req.scid = cpu_to_le16(chan->scid);
1248 req.mtu = cpu_to_le16(chan->imtu);
1249 req.mps = cpu_to_le16(chan->mps);
1250 req.credits = cpu_to_le16(chan->rx_credits);
1252 chan->ident = l2cap_get_ident(conn);
1254 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1258 struct l2cap_ecred_conn_data {
1260 struct l2cap_ecred_conn_req req;
1263 struct l2cap_chan *chan;
1268 static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
1270 struct l2cap_ecred_conn_data *conn = data;
1273 if (chan == conn->chan)
1276 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
1279 pid = chan->ops->get_peer_pid(chan);
1281 /* Only add deferred channels with the same PID/PSM */
1282 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
1283 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
1286 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1289 l2cap_ecred_init(chan, 0);
1291 /* Set the same ident so we can match on the rsp */
1292 chan->ident = conn->chan->ident;
1294 /* Include all channels deferred */
1295 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
1300 static void l2cap_ecred_connect(struct l2cap_chan *chan)
1302 struct l2cap_conn *conn = chan->conn;
1303 struct l2cap_ecred_conn_data data;
1305 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
1308 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1311 l2cap_ecred_init(chan, 0);
1313 memset(&data, 0, sizeof(data));
1314 data.pdu.req.psm = chan->psm;
1315 data.pdu.req.mtu = cpu_to_le16(chan->imtu);
1316 data.pdu.req.mps = cpu_to_le16(chan->mps);
1317 data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
1318 data.pdu.scid[0] = cpu_to_le16(chan->scid);
1320 chan->ident = l2cap_get_ident(conn);
1324 data.pid = chan->ops->get_peer_pid(chan);
1326 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
1328 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
1329 sizeof(data.pdu.req) + data.count * sizeof(__le16),
1333 static void l2cap_le_start(struct l2cap_chan *chan)
1335 struct l2cap_conn *conn = chan->conn;
1337 if (!smp_conn_security(conn->hcon, chan->sec_level))
1341 l2cap_chan_ready(chan);
1345 if (chan->state == BT_CONNECT) {
1346 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
1347 l2cap_ecred_connect(chan);
1349 l2cap_le_connect(chan);
1353 static void l2cap_start_connection(struct l2cap_chan *chan)
1355 if (chan->conn->hcon->type == LE_LINK) {
1356 l2cap_le_start(chan);
1358 l2cap_send_conn_req(chan);
1362 static void l2cap_request_info(struct l2cap_conn *conn)
1364 struct l2cap_info_req req;
1366 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1369 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1371 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1372 conn->info_ident = l2cap_get_ident(conn);
1374 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1376 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1380 static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
1382 /* The minimum encryption key size needs to be enforced by the
1383 * host stack before establishing any L2CAP connections. The
1384 * specification in theory allows a minimum of 1, but to align
1385 * BR/EDR and LE transports, a minimum of 7 is chosen.
1387 * This check might also be called for unencrypted connections
1388 * that have no key size requirements. Ensure that the link is
1389 * actually encrypted before enforcing a key size.
1391 int min_key_size = hcon->hdev->min_enc_key_size;
1393 /* On FIPS security level, key size must be 16 bytes */
1394 if (hcon->sec_level == BT_SECURITY_FIPS)
1397 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1398 hcon->enc_key_size >= min_key_size);
1401 static void l2cap_do_start(struct l2cap_chan *chan)
1403 struct l2cap_conn *conn = chan->conn;
1405 if (conn->hcon->type == LE_LINK) {
1406 l2cap_le_start(chan);
1410 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1411 l2cap_request_info(conn);
1415 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1418 if (!l2cap_chan_check_security(chan, true) ||
1419 !__l2cap_no_conn_pending(chan))
1422 if (l2cap_check_enc_key_size(conn->hcon))
1423 l2cap_start_connection(chan);
1425 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1428 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1430 u32 local_feat_mask = l2cap_feat_mask;
1432 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1435 case L2CAP_MODE_ERTM:
1436 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1437 case L2CAP_MODE_STREAMING:
1438 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1444 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1446 struct l2cap_conn *conn = chan->conn;
1447 struct l2cap_disconn_req req;
1452 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1453 __clear_retrans_timer(chan);
1454 __clear_monitor_timer(chan);
1455 __clear_ack_timer(chan);
1458 req.dcid = cpu_to_le16(chan->dcid);
1459 req.scid = cpu_to_le16(chan->scid);
1460 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1463 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1466 /* ---- L2CAP connections ---- */
1467 static void l2cap_conn_start(struct l2cap_conn *conn)
1469 struct l2cap_chan *chan, *tmp;
1471 BT_DBG("conn %p", conn);
1473 mutex_lock(&conn->chan_lock);
1475 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1476 l2cap_chan_lock(chan);
1478 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1479 l2cap_chan_ready(chan);
1480 l2cap_chan_unlock(chan);
1484 if (chan->state == BT_CONNECT) {
1485 if (!l2cap_chan_check_security(chan, true) ||
1486 !__l2cap_no_conn_pending(chan)) {
1487 l2cap_chan_unlock(chan);
1491 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1492 && test_bit(CONF_STATE2_DEVICE,
1493 &chan->conf_state)) {
1494 l2cap_chan_close(chan, ECONNRESET);
1495 l2cap_chan_unlock(chan);
1499 if (l2cap_check_enc_key_size(conn->hcon))
1500 l2cap_start_connection(chan);
1502 l2cap_chan_close(chan, ECONNREFUSED);
1504 } else if (chan->state == BT_CONNECT2) {
1505 struct l2cap_conn_rsp rsp;
1507 rsp.scid = cpu_to_le16(chan->dcid);
1508 rsp.dcid = cpu_to_le16(chan->scid);
1510 if (l2cap_chan_check_security(chan, false)) {
1511 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1512 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1513 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1514 chan->ops->defer(chan);
1517 l2cap_state_change(chan, BT_CONFIG);
1518 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1519 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1522 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1523 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1526 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1529 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1530 rsp.result != L2CAP_CR_SUCCESS) {
1531 l2cap_chan_unlock(chan);
1535 set_bit(CONF_REQ_SENT, &chan->conf_state);
1536 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1537 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1538 chan->num_conf_req++;
1541 l2cap_chan_unlock(chan);
1544 mutex_unlock(&conn->chan_lock);
1547 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1549 struct hci_conn *hcon = conn->hcon;
1550 struct hci_dev *hdev = hcon->hdev;
1552 BT_DBG("%s conn %p", hdev->name, conn);
1554 /* For outgoing pairing which doesn't necessarily have an
1555 * associated socket (e.g. mgmt_pair_device).
1558 smp_conn_security(hcon, hcon->pending_sec_level);
1560 /* For LE peripheral connections, make sure the connection interval
1561 * is in the range of the minimum and maximum interval that has
1562 * been configured for this connection. If not, then trigger
1563 * the connection update procedure.
1565 if (hcon->role == HCI_ROLE_SLAVE &&
1566 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1567 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1568 struct l2cap_conn_param_update_req req;
1570 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1571 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1572 req.latency = cpu_to_le16(hcon->le_conn_latency);
1573 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1575 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1576 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1580 static void l2cap_conn_ready(struct l2cap_conn *conn)
1582 struct l2cap_chan *chan;
1583 struct hci_conn *hcon = conn->hcon;
1585 BT_DBG("conn %p", conn);
1587 if (hcon->type == ACL_LINK)
1588 l2cap_request_info(conn);
1590 mutex_lock(&conn->chan_lock);
1592 list_for_each_entry(chan, &conn->chan_l, list) {
1594 l2cap_chan_lock(chan);
1596 if (hcon->type == LE_LINK) {
1597 l2cap_le_start(chan);
1598 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1599 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1600 l2cap_chan_ready(chan);
1601 } else if (chan->state == BT_CONNECT) {
1602 l2cap_do_start(chan);
1605 l2cap_chan_unlock(chan);
1608 mutex_unlock(&conn->chan_lock);
1610 if (hcon->type == LE_LINK)
1611 l2cap_le_conn_ready(conn);
1613 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1616 /* Notify sockets that we cannot guaranty reliability anymore */
1617 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1619 struct l2cap_chan *chan;
1621 BT_DBG("conn %p", conn);
1623 mutex_lock(&conn->chan_lock);
1625 list_for_each_entry(chan, &conn->chan_l, list) {
1626 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1627 l2cap_chan_set_err(chan, err);
1630 mutex_unlock(&conn->chan_lock);
1633 static void l2cap_info_timeout(struct work_struct *work)
1635 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1638 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1639 conn->info_ident = 0;
1641 l2cap_conn_start(conn);
1646 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1647 * callback is called during registration. The ->remove callback is called
1648 * during unregistration.
1649 * An l2cap_user object can either be explicitly unregistered or when the
1650 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1651 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1652 * External modules must own a reference to the l2cap_conn object if they intend
1653 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1654 * any time if they don't.
1657 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1659 struct hci_dev *hdev = conn->hcon->hdev;
1662 /* We need to check whether l2cap_conn is registered. If it is not, we
1663 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1664 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1665 * relies on the parent hci_conn object to be locked. This itself relies
1666 * on the hci_dev object to be locked. So we must lock the hci device
1671 if (!list_empty(&user->list)) {
1676 /* conn->hchan is NULL after l2cap_conn_del() was called */
1682 ret = user->probe(conn, user);
1686 list_add(&user->list, &conn->users);
1690 hci_dev_unlock(hdev);
1693 EXPORT_SYMBOL(l2cap_register_user);
1695 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1697 struct hci_dev *hdev = conn->hcon->hdev;
1701 if (list_empty(&user->list))
1704 list_del_init(&user->list);
1705 user->remove(conn, user);
1708 hci_dev_unlock(hdev);
1710 EXPORT_SYMBOL(l2cap_unregister_user);
1712 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1714 struct l2cap_user *user;
1716 while (!list_empty(&conn->users)) {
1717 user = list_first_entry(&conn->users, struct l2cap_user, list);
1718 list_del_init(&user->list);
1719 user->remove(conn, user);
1723 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1725 struct l2cap_conn *conn = hcon->l2cap_data;
1726 struct l2cap_chan *chan, *l;
1731 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1733 kfree_skb(conn->rx_skb);
1735 skb_queue_purge(&conn->pending_rx);
1737 /* We can not call flush_work(&conn->pending_rx_work) here since we
1738 * might block if we are running on a worker from the same workqueue
1739 * pending_rx_work is waiting on.
1741 if (work_pending(&conn->pending_rx_work))
1742 cancel_work_sync(&conn->pending_rx_work);
1744 cancel_delayed_work_sync(&conn->id_addr_timer);
1746 l2cap_unregister_all_users(conn);
1748 /* Force the connection to be immediately dropped */
1749 hcon->disc_timeout = 0;
1751 mutex_lock(&conn->chan_lock);
1754 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1755 l2cap_chan_hold(chan);
1756 l2cap_chan_lock(chan);
1758 l2cap_chan_del(chan, err);
1760 chan->ops->close(chan);
1762 l2cap_chan_unlock(chan);
1763 l2cap_chan_put(chan);
1766 mutex_unlock(&conn->chan_lock);
1768 hci_chan_del(conn->hchan);
1770 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1771 cancel_delayed_work_sync(&conn->info_timer);
1773 hcon->l2cap_data = NULL;
1775 l2cap_conn_put(conn);
1778 static void l2cap_conn_free(struct kref *ref)
1780 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1782 hci_conn_put(conn->hcon);
1786 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1788 kref_get(&conn->ref);
1791 EXPORT_SYMBOL(l2cap_conn_get);
1793 void l2cap_conn_put(struct l2cap_conn *conn)
1795 kref_put(&conn->ref, l2cap_conn_free);
1797 EXPORT_SYMBOL(l2cap_conn_put);
1799 /* ---- Socket interface ---- */
1801 /* Find socket with psm and source / destination bdaddr.
1802 * Returns closest match.
1804 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1809 struct l2cap_chan *c, *tmp, *c1 = NULL;
1811 read_lock(&chan_list_lock);
1813 list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
1814 if (state && c->state != state)
1817 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1820 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1823 if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) {
1824 int src_match, dst_match;
1825 int src_any, dst_any;
1828 src_match = !bacmp(&c->src, src);
1829 dst_match = !bacmp(&c->dst, dst);
1830 if (src_match && dst_match) {
1831 if (!l2cap_chan_hold_unless_zero(c))
1834 read_unlock(&chan_list_lock);
1839 src_any = !bacmp(&c->src, BDADDR_ANY);
1840 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1841 if ((src_match && dst_any) || (src_any && dst_match) ||
1842 (src_any && dst_any))
1848 c1 = l2cap_chan_hold_unless_zero(c1);
1850 read_unlock(&chan_list_lock);
1855 static void l2cap_monitor_timeout(struct work_struct *work)
1857 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1858 monitor_timer.work);
1860 BT_DBG("chan %p", chan);
1862 l2cap_chan_lock(chan);
1865 l2cap_chan_unlock(chan);
1866 l2cap_chan_put(chan);
1870 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1872 l2cap_chan_unlock(chan);
1873 l2cap_chan_put(chan);
1876 static void l2cap_retrans_timeout(struct work_struct *work)
1878 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1879 retrans_timer.work);
1881 BT_DBG("chan %p", chan);
1883 l2cap_chan_lock(chan);
1886 l2cap_chan_unlock(chan);
1887 l2cap_chan_put(chan);
1891 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1892 l2cap_chan_unlock(chan);
1893 l2cap_chan_put(chan);
1896 static void l2cap_streaming_send(struct l2cap_chan *chan,
1897 struct sk_buff_head *skbs)
1899 struct sk_buff *skb;
1900 struct l2cap_ctrl *control;
1902 BT_DBG("chan %p, skbs %p", chan, skbs);
1904 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1906 while (!skb_queue_empty(&chan->tx_q)) {
1908 skb = skb_dequeue(&chan->tx_q);
1910 bt_cb(skb)->l2cap.retries = 1;
1911 control = &bt_cb(skb)->l2cap;
1913 control->reqseq = 0;
1914 control->txseq = chan->next_tx_seq;
1916 __pack_control(chan, control, skb);
1918 if (chan->fcs == L2CAP_FCS_CRC16) {
1919 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1920 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1923 l2cap_do_send(chan, skb);
1925 BT_DBG("Sent txseq %u", control->txseq);
1927 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1928 chan->frames_sent++;
1932 static int l2cap_ertm_send(struct l2cap_chan *chan)
1934 struct sk_buff *skb, *tx_skb;
1935 struct l2cap_ctrl *control;
1938 BT_DBG("chan %p", chan);
1940 if (chan->state != BT_CONNECTED)
1943 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1946 while (chan->tx_send_head &&
1947 chan->unacked_frames < chan->remote_tx_win &&
1948 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1950 skb = chan->tx_send_head;
1952 bt_cb(skb)->l2cap.retries = 1;
1953 control = &bt_cb(skb)->l2cap;
1955 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1958 control->reqseq = chan->buffer_seq;
1959 chan->last_acked_seq = chan->buffer_seq;
1960 control->txseq = chan->next_tx_seq;
1962 __pack_control(chan, control, skb);
1964 if (chan->fcs == L2CAP_FCS_CRC16) {
1965 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1966 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1969 /* Clone after data has been modified. Data is assumed to be
1970 read-only (for locking purposes) on cloned sk_buffs.
1972 tx_skb = skb_clone(skb, GFP_KERNEL);
1977 __set_retrans_timer(chan);
1979 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1980 chan->unacked_frames++;
1981 chan->frames_sent++;
1984 if (skb_queue_is_last(&chan->tx_q, skb))
1985 chan->tx_send_head = NULL;
1987 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1989 l2cap_do_send(chan, tx_skb);
1990 BT_DBG("Sent txseq %u", control->txseq);
1993 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1994 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1999 static void l2cap_ertm_resend(struct l2cap_chan *chan)
2001 struct l2cap_ctrl control;
2002 struct sk_buff *skb;
2003 struct sk_buff *tx_skb;
2006 BT_DBG("chan %p", chan);
2008 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2011 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2012 seq = l2cap_seq_list_pop(&chan->retrans_list);
2014 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2016 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2021 bt_cb(skb)->l2cap.retries++;
2022 control = bt_cb(skb)->l2cap;
2024 if (chan->max_tx != 0 &&
2025 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2026 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2027 l2cap_send_disconn_req(chan, ECONNRESET);
2028 l2cap_seq_list_clear(&chan->retrans_list);
2032 control.reqseq = chan->buffer_seq;
2033 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2038 if (skb_cloned(skb)) {
2039 /* Cloned sk_buffs are read-only, so we need a
2042 tx_skb = skb_copy(skb, GFP_KERNEL);
2044 tx_skb = skb_clone(skb, GFP_KERNEL);
2048 l2cap_seq_list_clear(&chan->retrans_list);
2052 /* Update skb contents */
2053 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2054 put_unaligned_le32(__pack_extended_control(&control),
2055 tx_skb->data + L2CAP_HDR_SIZE);
2057 put_unaligned_le16(__pack_enhanced_control(&control),
2058 tx_skb->data + L2CAP_HDR_SIZE);
2062 if (chan->fcs == L2CAP_FCS_CRC16) {
2063 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2064 tx_skb->len - L2CAP_FCS_SIZE);
2065 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2069 l2cap_do_send(chan, tx_skb);
2071 BT_DBG("Resent txseq %d", control.txseq);
2073 chan->last_acked_seq = chan->buffer_seq;
2077 static void l2cap_retransmit(struct l2cap_chan *chan,
2078 struct l2cap_ctrl *control)
2080 BT_DBG("chan %p, control %p", chan, control);
2082 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2083 l2cap_ertm_resend(chan);
2086 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2087 struct l2cap_ctrl *control)
2089 struct sk_buff *skb;
2091 BT_DBG("chan %p, control %p", chan, control);
2094 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2096 l2cap_seq_list_clear(&chan->retrans_list);
2098 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2101 if (chan->unacked_frames) {
2102 skb_queue_walk(&chan->tx_q, skb) {
2103 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2104 skb == chan->tx_send_head)
2108 skb_queue_walk_from(&chan->tx_q, skb) {
2109 if (skb == chan->tx_send_head)
2112 l2cap_seq_list_append(&chan->retrans_list,
2113 bt_cb(skb)->l2cap.txseq);
2116 l2cap_ertm_resend(chan);
2120 static void l2cap_send_ack(struct l2cap_chan *chan)
2122 struct l2cap_ctrl control;
2123 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2124 chan->last_acked_seq);
2127 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2128 chan, chan->last_acked_seq, chan->buffer_seq);
2130 memset(&control, 0, sizeof(control));
2133 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2134 chan->rx_state == L2CAP_RX_STATE_RECV) {
2135 __clear_ack_timer(chan);
2136 control.super = L2CAP_SUPER_RNR;
2137 control.reqseq = chan->buffer_seq;
2138 l2cap_send_sframe(chan, &control);
2140 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2141 l2cap_ertm_send(chan);
2142 /* If any i-frames were sent, they included an ack */
2143 if (chan->buffer_seq == chan->last_acked_seq)
2147 /* Ack now if the window is 3/4ths full.
2148 * Calculate without mul or div
2150 threshold = chan->ack_win;
2151 threshold += threshold << 1;
2154 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2157 if (frames_to_ack >= threshold) {
2158 __clear_ack_timer(chan);
2159 control.super = L2CAP_SUPER_RR;
2160 control.reqseq = chan->buffer_seq;
2161 l2cap_send_sframe(chan, &control);
2166 __set_ack_timer(chan);
2170 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2171 struct msghdr *msg, int len,
2172 int count, struct sk_buff *skb)
2174 struct l2cap_conn *conn = chan->conn;
2175 struct sk_buff **frag;
2178 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2184 /* Continuation fragments (no L2CAP header) */
2185 frag = &skb_shinfo(skb)->frag_list;
2187 struct sk_buff *tmp;
2189 count = min_t(unsigned int, conn->mtu, len);
2191 tmp = chan->ops->alloc_skb(chan, 0, count,
2192 msg->msg_flags & MSG_DONTWAIT);
2194 return PTR_ERR(tmp);
2198 if (!copy_from_iter_full(skb_put(*frag, count), count,
2205 skb->len += (*frag)->len;
2206 skb->data_len += (*frag)->len;
2208 frag = &(*frag)->next;
2214 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2215 struct msghdr *msg, size_t len)
2217 struct l2cap_conn *conn = chan->conn;
2218 struct sk_buff *skb;
2219 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2220 struct l2cap_hdr *lh;
2222 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2223 __le16_to_cpu(chan->psm), len);
2225 count = min_t(unsigned int, (conn->mtu - hlen), len);
2227 skb = chan->ops->alloc_skb(chan, hlen, count,
2228 msg->msg_flags & MSG_DONTWAIT);
2232 /* Create L2CAP header */
2233 lh = skb_put(skb, L2CAP_HDR_SIZE);
2234 lh->cid = cpu_to_le16(chan->dcid);
2235 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2236 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2238 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2239 if (unlikely(err < 0)) {
2241 return ERR_PTR(err);
2246 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2247 struct msghdr *msg, size_t len)
2249 struct l2cap_conn *conn = chan->conn;
2250 struct sk_buff *skb;
2252 struct l2cap_hdr *lh;
2254 BT_DBG("chan %p len %zu", chan, len);
2256 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2258 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2259 msg->msg_flags & MSG_DONTWAIT);
2263 /* Create L2CAP header */
2264 lh = skb_put(skb, L2CAP_HDR_SIZE);
2265 lh->cid = cpu_to_le16(chan->dcid);
2266 lh->len = cpu_to_le16(len);
2268 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2269 if (unlikely(err < 0)) {
2271 return ERR_PTR(err);
2276 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2277 struct msghdr *msg, size_t len,
2280 struct l2cap_conn *conn = chan->conn;
2281 struct sk_buff *skb;
2282 int err, count, hlen;
2283 struct l2cap_hdr *lh;
2285 BT_DBG("chan %p len %zu", chan, len);
2288 return ERR_PTR(-ENOTCONN);
2290 hlen = __ertm_hdr_size(chan);
2293 hlen += L2CAP_SDULEN_SIZE;
2295 if (chan->fcs == L2CAP_FCS_CRC16)
2296 hlen += L2CAP_FCS_SIZE;
2298 count = min_t(unsigned int, (conn->mtu - hlen), len);
2300 skb = chan->ops->alloc_skb(chan, hlen, count,
2301 msg->msg_flags & MSG_DONTWAIT);
2305 /* Create L2CAP header */
2306 lh = skb_put(skb, L2CAP_HDR_SIZE);
2307 lh->cid = cpu_to_le16(chan->dcid);
2308 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2310 /* Control header is populated later */
2311 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2312 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2314 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2317 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2319 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2320 if (unlikely(err < 0)) {
2322 return ERR_PTR(err);
2325 bt_cb(skb)->l2cap.fcs = chan->fcs;
2326 bt_cb(skb)->l2cap.retries = 0;
2330 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2331 struct sk_buff_head *seg_queue,
2332 struct msghdr *msg, size_t len)
2334 struct sk_buff *skb;
2339 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2341 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2342 * so fragmented skbs are not used. The HCI layer's handling
2343 * of fragmented skbs is not compatible with ERTM's queueing.
2346 /* PDU size is derived from the HCI MTU */
2347 pdu_len = chan->conn->mtu;
2349 /* Constrain PDU size for BR/EDR connections */
2350 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2352 /* Adjust for largest possible L2CAP overhead. */
2354 pdu_len -= L2CAP_FCS_SIZE;
2356 pdu_len -= __ertm_hdr_size(chan);
2358 /* Remote device may have requested smaller PDUs */
2359 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2361 if (len <= pdu_len) {
2362 sar = L2CAP_SAR_UNSEGMENTED;
2366 sar = L2CAP_SAR_START;
2371 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2374 __skb_queue_purge(seg_queue);
2375 return PTR_ERR(skb);
2378 bt_cb(skb)->l2cap.sar = sar;
2379 __skb_queue_tail(seg_queue, skb);
2385 if (len <= pdu_len) {
2386 sar = L2CAP_SAR_END;
2389 sar = L2CAP_SAR_CONTINUE;
2396 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2398 size_t len, u16 sdulen)
2400 struct l2cap_conn *conn = chan->conn;
2401 struct sk_buff *skb;
2402 int err, count, hlen;
2403 struct l2cap_hdr *lh;
2405 BT_DBG("chan %p len %zu", chan, len);
2408 return ERR_PTR(-ENOTCONN);
2410 hlen = L2CAP_HDR_SIZE;
2413 hlen += L2CAP_SDULEN_SIZE;
2415 count = min_t(unsigned int, (conn->mtu - hlen), len);
2417 skb = chan->ops->alloc_skb(chan, hlen, count,
2418 msg->msg_flags & MSG_DONTWAIT);
2422 /* Create L2CAP header */
2423 lh = skb_put(skb, L2CAP_HDR_SIZE);
2424 lh->cid = cpu_to_le16(chan->dcid);
2425 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2428 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2430 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2431 if (unlikely(err < 0)) {
2433 return ERR_PTR(err);
2439 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2440 struct sk_buff_head *seg_queue,
2441 struct msghdr *msg, size_t len)
2443 struct sk_buff *skb;
2447 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2450 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2456 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2458 __skb_queue_purge(seg_queue);
2459 return PTR_ERR(skb);
2462 __skb_queue_tail(seg_queue, skb);
2468 pdu_len += L2CAP_SDULEN_SIZE;
2475 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2479 BT_DBG("chan %p", chan);
2481 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2482 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2487 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2488 skb_queue_len(&chan->tx_q));
2491 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2493 struct sk_buff *skb;
2495 struct sk_buff_head seg_queue;
2500 /* Connectionless channel */
2501 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2502 skb = l2cap_create_connless_pdu(chan, msg, len);
2504 return PTR_ERR(skb);
2506 l2cap_do_send(chan, skb);
2510 switch (chan->mode) {
2511 case L2CAP_MODE_LE_FLOWCTL:
2512 case L2CAP_MODE_EXT_FLOWCTL:
2513 /* Check outgoing MTU */
2514 if (len > chan->omtu)
2517 __skb_queue_head_init(&seg_queue);
2519 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2521 if (chan->state != BT_CONNECTED) {
2522 __skb_queue_purge(&seg_queue);
2529 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2531 l2cap_le_flowctl_send(chan);
2533 if (!chan->tx_credits)
2534 chan->ops->suspend(chan);
2540 case L2CAP_MODE_BASIC:
2541 /* Check outgoing MTU */
2542 if (len > chan->omtu)
2545 /* Create a basic PDU */
2546 skb = l2cap_create_basic_pdu(chan, msg, len);
2548 return PTR_ERR(skb);
2550 l2cap_do_send(chan, skb);
2554 case L2CAP_MODE_ERTM:
2555 case L2CAP_MODE_STREAMING:
2556 /* Check outgoing MTU */
2557 if (len > chan->omtu) {
2562 __skb_queue_head_init(&seg_queue);
2564 /* Do segmentation before calling in to the state machine,
2565 * since it's possible to block while waiting for memory
2568 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2573 if (chan->mode == L2CAP_MODE_ERTM)
2574 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2576 l2cap_streaming_send(chan, &seg_queue);
2580 /* If the skbs were not queued for sending, they'll still be in
2581 * seg_queue and need to be purged.
2583 __skb_queue_purge(&seg_queue);
2587 BT_DBG("bad state %1.1x", chan->mode);
2593 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2595 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2597 struct l2cap_ctrl control;
2600 BT_DBG("chan %p, txseq %u", chan, txseq);
2602 memset(&control, 0, sizeof(control));
2604 control.super = L2CAP_SUPER_SREJ;
2606 for (seq = chan->expected_tx_seq; seq != txseq;
2607 seq = __next_seq(chan, seq)) {
2608 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2609 control.reqseq = seq;
2610 l2cap_send_sframe(chan, &control);
2611 l2cap_seq_list_append(&chan->srej_list, seq);
2615 chan->expected_tx_seq = __next_seq(chan, txseq);
2618 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2620 struct l2cap_ctrl control;
2622 BT_DBG("chan %p", chan);
2624 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2627 memset(&control, 0, sizeof(control));
2629 control.super = L2CAP_SUPER_SREJ;
2630 control.reqseq = chan->srej_list.tail;
2631 l2cap_send_sframe(chan, &control);
2634 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2636 struct l2cap_ctrl control;
2640 BT_DBG("chan %p, txseq %u", chan, txseq);
2642 memset(&control, 0, sizeof(control));
2644 control.super = L2CAP_SUPER_SREJ;
2646 /* Capture initial list head to allow only one pass through the list. */
2647 initial_head = chan->srej_list.head;
2650 seq = l2cap_seq_list_pop(&chan->srej_list);
2651 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2654 control.reqseq = seq;
2655 l2cap_send_sframe(chan, &control);
2656 l2cap_seq_list_append(&chan->srej_list, seq);
2657 } while (chan->srej_list.head != initial_head);
2660 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2662 struct sk_buff *acked_skb;
2665 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2667 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2670 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2671 chan->expected_ack_seq, chan->unacked_frames);
2673 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2674 ackseq = __next_seq(chan, ackseq)) {
2676 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2678 skb_unlink(acked_skb, &chan->tx_q);
2679 kfree_skb(acked_skb);
2680 chan->unacked_frames--;
2684 chan->expected_ack_seq = reqseq;
2686 if (chan->unacked_frames == 0)
2687 __clear_retrans_timer(chan);
2689 BT_DBG("unacked_frames %u", chan->unacked_frames);
2692 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2694 BT_DBG("chan %p", chan);
2696 chan->expected_tx_seq = chan->buffer_seq;
2697 l2cap_seq_list_clear(&chan->srej_list);
2698 skb_queue_purge(&chan->srej_q);
2699 chan->rx_state = L2CAP_RX_STATE_RECV;
2702 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2703 struct l2cap_ctrl *control,
2704 struct sk_buff_head *skbs, u8 event)
2706 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2710 case L2CAP_EV_DATA_REQUEST:
2711 if (chan->tx_send_head == NULL)
2712 chan->tx_send_head = skb_peek(skbs);
2714 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2715 l2cap_ertm_send(chan);
2717 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2718 BT_DBG("Enter LOCAL_BUSY");
2719 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2721 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2722 /* The SREJ_SENT state must be aborted if we are to
2723 * enter the LOCAL_BUSY state.
2725 l2cap_abort_rx_srej_sent(chan);
2728 l2cap_send_ack(chan);
2731 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2732 BT_DBG("Exit LOCAL_BUSY");
2733 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2735 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2736 struct l2cap_ctrl local_control;
2738 memset(&local_control, 0, sizeof(local_control));
2739 local_control.sframe = 1;
2740 local_control.super = L2CAP_SUPER_RR;
2741 local_control.poll = 1;
2742 local_control.reqseq = chan->buffer_seq;
2743 l2cap_send_sframe(chan, &local_control);
2745 chan->retry_count = 1;
2746 __set_monitor_timer(chan);
2747 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2750 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2751 l2cap_process_reqseq(chan, control->reqseq);
2753 case L2CAP_EV_EXPLICIT_POLL:
2754 l2cap_send_rr_or_rnr(chan, 1);
2755 chan->retry_count = 1;
2756 __set_monitor_timer(chan);
2757 __clear_ack_timer(chan);
2758 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2760 case L2CAP_EV_RETRANS_TO:
2761 l2cap_send_rr_or_rnr(chan, 1);
2762 chan->retry_count = 1;
2763 __set_monitor_timer(chan);
2764 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2766 case L2CAP_EV_RECV_FBIT:
2767 /* Nothing to process */
2774 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2775 struct l2cap_ctrl *control,
2776 struct sk_buff_head *skbs, u8 event)
2778 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2782 case L2CAP_EV_DATA_REQUEST:
2783 if (chan->tx_send_head == NULL)
2784 chan->tx_send_head = skb_peek(skbs);
2785 /* Queue data, but don't send. */
2786 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2788 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2789 BT_DBG("Enter LOCAL_BUSY");
2790 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2792 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2793 /* The SREJ_SENT state must be aborted if we are to
2794 * enter the LOCAL_BUSY state.
2796 l2cap_abort_rx_srej_sent(chan);
2799 l2cap_send_ack(chan);
2802 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2803 BT_DBG("Exit LOCAL_BUSY");
2804 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2806 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2807 struct l2cap_ctrl local_control;
2808 memset(&local_control, 0, sizeof(local_control));
2809 local_control.sframe = 1;
2810 local_control.super = L2CAP_SUPER_RR;
2811 local_control.poll = 1;
2812 local_control.reqseq = chan->buffer_seq;
2813 l2cap_send_sframe(chan, &local_control);
2815 chan->retry_count = 1;
2816 __set_monitor_timer(chan);
2817 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2820 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2821 l2cap_process_reqseq(chan, control->reqseq);
2824 case L2CAP_EV_RECV_FBIT:
2825 if (control && control->final) {
2826 __clear_monitor_timer(chan);
2827 if (chan->unacked_frames > 0)
2828 __set_retrans_timer(chan);
2829 chan->retry_count = 0;
2830 chan->tx_state = L2CAP_TX_STATE_XMIT;
2831 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2834 case L2CAP_EV_EXPLICIT_POLL:
2837 case L2CAP_EV_MONITOR_TO:
2838 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2839 l2cap_send_rr_or_rnr(chan, 1);
2840 __set_monitor_timer(chan);
2841 chan->retry_count++;
2843 l2cap_send_disconn_req(chan, ECONNABORTED);
2851 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2852 struct sk_buff_head *skbs, u8 event)
2854 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2855 chan, control, skbs, event, chan->tx_state);
2857 switch (chan->tx_state) {
2858 case L2CAP_TX_STATE_XMIT:
2859 l2cap_tx_state_xmit(chan, control, skbs, event);
2861 case L2CAP_TX_STATE_WAIT_F:
2862 l2cap_tx_state_wait_f(chan, control, skbs, event);
2870 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2871 struct l2cap_ctrl *control)
2873 BT_DBG("chan %p, control %p", chan, control);
2874 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2877 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2878 struct l2cap_ctrl *control)
2880 BT_DBG("chan %p, control %p", chan, control);
2881 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2884 /* Copy frame to all raw sockets on that connection */
2885 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2887 struct sk_buff *nskb;
2888 struct l2cap_chan *chan;
2890 BT_DBG("conn %p", conn);
2892 mutex_lock(&conn->chan_lock);
2894 list_for_each_entry(chan, &conn->chan_l, list) {
2895 if (chan->chan_type != L2CAP_CHAN_RAW)
2898 /* Don't send frame to the channel it came from */
2899 if (bt_cb(skb)->l2cap.chan == chan)
2902 nskb = skb_clone(skb, GFP_KERNEL);
2905 if (chan->ops->recv(chan, nskb))
2909 mutex_unlock(&conn->chan_lock);
2912 /* ---- L2CAP signalling commands ---- */
2913 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2914 u8 ident, u16 dlen, void *data)
2916 struct sk_buff *skb, **frag;
2917 struct l2cap_cmd_hdr *cmd;
2918 struct l2cap_hdr *lh;
2921 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2922 conn, code, ident, dlen);
2924 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2927 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2928 count = min_t(unsigned int, conn->mtu, len);
2930 skb = bt_skb_alloc(count, GFP_KERNEL);
2934 lh = skb_put(skb, L2CAP_HDR_SIZE);
2935 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2937 if (conn->hcon->type == LE_LINK)
2938 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2940 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2942 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
2945 cmd->len = cpu_to_le16(dlen);
2948 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2949 skb_put_data(skb, data, count);
2955 /* Continuation fragments (no L2CAP header) */
2956 frag = &skb_shinfo(skb)->frag_list;
2958 count = min_t(unsigned int, conn->mtu, len);
2960 *frag = bt_skb_alloc(count, GFP_KERNEL);
2964 skb_put_data(*frag, data, count);
2969 frag = &(*frag)->next;
2979 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2982 struct l2cap_conf_opt *opt = *ptr;
2985 len = L2CAP_CONF_OPT_SIZE + opt->len;
2993 *val = *((u8 *) opt->val);
2997 *val = get_unaligned_le16(opt->val);
3001 *val = get_unaligned_le32(opt->val);
3005 *val = (unsigned long) opt->val;
3009 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3013 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3015 struct l2cap_conf_opt *opt = *ptr;
3017 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3019 if (size < L2CAP_CONF_OPT_SIZE + len)
3027 *((u8 *) opt->val) = val;
3031 put_unaligned_le16(val, opt->val);
3035 put_unaligned_le32(val, opt->val);
3039 memcpy(opt->val, (void *) val, len);
3043 *ptr += L2CAP_CONF_OPT_SIZE + len;
3046 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3048 struct l2cap_conf_efs efs;
3050 switch (chan->mode) {
3051 case L2CAP_MODE_ERTM:
3052 efs.id = chan->local_id;
3053 efs.stype = chan->local_stype;
3054 efs.msdu = cpu_to_le16(chan->local_msdu);
3055 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3056 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3057 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3060 case L2CAP_MODE_STREAMING:
3062 efs.stype = L2CAP_SERV_BESTEFFORT;
3063 efs.msdu = cpu_to_le16(chan->local_msdu);
3064 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3073 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3074 (unsigned long) &efs, size);
3077 static void l2cap_ack_timeout(struct work_struct *work)
3079 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3083 BT_DBG("chan %p", chan);
3085 l2cap_chan_lock(chan);
3087 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3088 chan->last_acked_seq);
3091 l2cap_send_rr_or_rnr(chan, 0);
3093 l2cap_chan_unlock(chan);
3094 l2cap_chan_put(chan);
3097 int l2cap_ertm_init(struct l2cap_chan *chan)
3101 chan->next_tx_seq = 0;
3102 chan->expected_tx_seq = 0;
3103 chan->expected_ack_seq = 0;
3104 chan->unacked_frames = 0;
3105 chan->buffer_seq = 0;
3106 chan->frames_sent = 0;
3107 chan->last_acked_seq = 0;
3109 chan->sdu_last_frag = NULL;
3112 skb_queue_head_init(&chan->tx_q);
3114 if (chan->mode != L2CAP_MODE_ERTM)
3117 chan->rx_state = L2CAP_RX_STATE_RECV;
3118 chan->tx_state = L2CAP_TX_STATE_XMIT;
3120 skb_queue_head_init(&chan->srej_q);
3122 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3126 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3128 l2cap_seq_list_free(&chan->srej_list);
3133 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3136 case L2CAP_MODE_STREAMING:
3137 case L2CAP_MODE_ERTM:
3138 if (l2cap_mode_supported(mode, remote_feat_mask))
3142 return L2CAP_MODE_BASIC;
3146 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3148 return (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW);
3151 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3153 return (conn->feat_mask & L2CAP_FEAT_EXT_FLOW);
3156 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3157 struct l2cap_conf_rfc *rfc)
3159 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3160 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3163 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3165 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3166 __l2cap_ews_supported(chan->conn)) {
3167 /* use extended control field */
3168 set_bit(FLAG_EXT_CTRL, &chan->flags);
3169 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3171 chan->tx_win = min_t(u16, chan->tx_win,
3172 L2CAP_DEFAULT_TX_WINDOW);
3173 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3175 chan->ack_win = chan->tx_win;
3178 static void l2cap_mtu_auto(struct l2cap_chan *chan)
3180 struct hci_conn *conn = chan->conn->hcon;
3182 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3184 /* The 2-DH1 packet has between 2 and 56 information bytes
3185 * (including the 2-byte payload header)
3187 if (!(conn->pkt_type & HCI_2DH1))
3190 /* The 3-DH1 packet has between 2 and 85 information bytes
3191 * (including the 2-byte payload header)
3193 if (!(conn->pkt_type & HCI_3DH1))
3196 /* The 2-DH3 packet has between 2 and 369 information bytes
3197 * (including the 2-byte payload header)
3199 if (!(conn->pkt_type & HCI_2DH3))
3202 /* The 3-DH3 packet has between 2 and 554 information bytes
3203 * (including the 2-byte payload header)
3205 if (!(conn->pkt_type & HCI_3DH3))
3208 /* The 2-DH5 packet has between 2 and 681 information bytes
3209 * (including the 2-byte payload header)
3211 if (!(conn->pkt_type & HCI_2DH5))
3214 /* The 3-DH5 packet has between 2 and 1023 information bytes
3215 * (including the 2-byte payload header)
3217 if (!(conn->pkt_type & HCI_3DH5))
3221 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3223 struct l2cap_conf_req *req = data;
3224 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3225 void *ptr = req->data;
3226 void *endptr = data + data_size;
3229 BT_DBG("chan %p", chan);
3231 if (chan->num_conf_req || chan->num_conf_rsp)
3234 switch (chan->mode) {
3235 case L2CAP_MODE_STREAMING:
3236 case L2CAP_MODE_ERTM:
3237 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3240 if (__l2cap_efs_supported(chan->conn))
3241 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3245 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3250 if (chan->imtu != L2CAP_DEFAULT_MTU) {
3252 l2cap_mtu_auto(chan);
3253 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3257 switch (chan->mode) {
3258 case L2CAP_MODE_BASIC:
3262 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3263 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3266 rfc.mode = L2CAP_MODE_BASIC;
3268 rfc.max_transmit = 0;
3269 rfc.retrans_timeout = 0;
3270 rfc.monitor_timeout = 0;
3271 rfc.max_pdu_size = 0;
3273 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3274 (unsigned long) &rfc, endptr - ptr);
3277 case L2CAP_MODE_ERTM:
3278 rfc.mode = L2CAP_MODE_ERTM;
3279 rfc.max_transmit = chan->max_tx;
3281 __l2cap_set_ertm_timeouts(chan, &rfc);
3283 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3284 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3286 rfc.max_pdu_size = cpu_to_le16(size);
3288 l2cap_txwin_setup(chan);
3290 rfc.txwin_size = min_t(u16, chan->tx_win,
3291 L2CAP_DEFAULT_TX_WINDOW);
3293 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3294 (unsigned long) &rfc, endptr - ptr);
3296 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3297 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3299 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3300 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3301 chan->tx_win, endptr - ptr);
3303 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3304 if (chan->fcs == L2CAP_FCS_NONE ||
3305 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3306 chan->fcs = L2CAP_FCS_NONE;
3307 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3308 chan->fcs, endptr - ptr);
3312 case L2CAP_MODE_STREAMING:
3313 l2cap_txwin_setup(chan);
3314 rfc.mode = L2CAP_MODE_STREAMING;
3316 rfc.max_transmit = 0;
3317 rfc.retrans_timeout = 0;
3318 rfc.monitor_timeout = 0;
3320 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3321 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3323 rfc.max_pdu_size = cpu_to_le16(size);
3325 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3326 (unsigned long) &rfc, endptr - ptr);
3328 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3329 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3331 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3332 if (chan->fcs == L2CAP_FCS_NONE ||
3333 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3334 chan->fcs = L2CAP_FCS_NONE;
3335 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3336 chan->fcs, endptr - ptr);
3341 req->dcid = cpu_to_le16(chan->dcid);
3342 req->flags = cpu_to_le16(0);
3347 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3349 struct l2cap_conf_rsp *rsp = data;
3350 void *ptr = rsp->data;
3351 void *endptr = data + data_size;
3352 void *req = chan->conf_req;
3353 int len = chan->conf_len;
3354 int type, hint, olen;
3356 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3357 struct l2cap_conf_efs efs;
3359 u16 mtu = L2CAP_DEFAULT_MTU;
3360 u16 result = L2CAP_CONF_SUCCESS;
3363 BT_DBG("chan %p", chan);
3365 while (len >= L2CAP_CONF_OPT_SIZE) {
3366 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3370 hint = type & L2CAP_CONF_HINT;
3371 type &= L2CAP_CONF_MASK;
3374 case L2CAP_CONF_MTU:
3380 case L2CAP_CONF_FLUSH_TO:
3383 chan->flush_to = val;
3386 case L2CAP_CONF_QOS:
3389 case L2CAP_CONF_RFC:
3390 if (olen != sizeof(rfc))
3392 memcpy(&rfc, (void *) val, olen);
3395 case L2CAP_CONF_FCS:
3398 if (val == L2CAP_FCS_NONE)
3399 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3402 case L2CAP_CONF_EFS:
3403 if (olen != sizeof(efs))
3406 memcpy(&efs, (void *) val, olen);
3409 case L2CAP_CONF_EWS:
3412 return -ECONNREFUSED;
3417 result = L2CAP_CONF_UNKNOWN;
3418 l2cap_add_conf_opt(&ptr, (u8)type, sizeof(u8), type, endptr - ptr);
3423 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3426 switch (chan->mode) {
3427 case L2CAP_MODE_STREAMING:
3428 case L2CAP_MODE_ERTM:
3429 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3430 chan->mode = l2cap_select_mode(rfc.mode,
3431 chan->conn->feat_mask);
3436 if (__l2cap_efs_supported(chan->conn))
3437 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3439 return -ECONNREFUSED;
3442 if (chan->mode != rfc.mode)
3443 return -ECONNREFUSED;
3449 if (chan->mode != rfc.mode) {
3450 result = L2CAP_CONF_UNACCEPT;
3451 rfc.mode = chan->mode;
3453 if (chan->num_conf_rsp == 1)
3454 return -ECONNREFUSED;
3456 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3457 (unsigned long) &rfc, endptr - ptr);
3460 if (result == L2CAP_CONF_SUCCESS) {
3461 /* Configure output options and let the other side know
3462 * which ones we don't like. */
3464 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3465 result = L2CAP_CONF_UNACCEPT;
3468 set_bit(CONF_MTU_DONE, &chan->conf_state);
3470 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3473 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3474 efs.stype != L2CAP_SERV_NOTRAFIC &&
3475 efs.stype != chan->local_stype) {
3477 result = L2CAP_CONF_UNACCEPT;
3479 if (chan->num_conf_req >= 1)
3480 return -ECONNREFUSED;
3482 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3484 (unsigned long) &efs, endptr - ptr);
3486 /* Send PENDING Conf Rsp */
3487 result = L2CAP_CONF_PENDING;
3488 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3493 case L2CAP_MODE_BASIC:
3494 chan->fcs = L2CAP_FCS_NONE;
3495 set_bit(CONF_MODE_DONE, &chan->conf_state);
3498 case L2CAP_MODE_ERTM:
3499 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3500 chan->remote_tx_win = rfc.txwin_size;
3502 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3504 chan->remote_max_tx = rfc.max_transmit;
3506 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3507 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3508 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3509 rfc.max_pdu_size = cpu_to_le16(size);
3510 chan->remote_mps = size;
3512 __l2cap_set_ertm_timeouts(chan, &rfc);
3514 set_bit(CONF_MODE_DONE, &chan->conf_state);
3516 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3517 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3520 test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3521 chan->remote_id = efs.id;
3522 chan->remote_stype = efs.stype;
3523 chan->remote_msdu = le16_to_cpu(efs.msdu);
3524 chan->remote_flush_to =
3525 le32_to_cpu(efs.flush_to);
3526 chan->remote_acc_lat =
3527 le32_to_cpu(efs.acc_lat);
3528 chan->remote_sdu_itime =
3529 le32_to_cpu(efs.sdu_itime);
3530 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3532 (unsigned long) &efs, endptr - ptr);
3536 case L2CAP_MODE_STREAMING:
3537 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3538 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3539 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3540 rfc.max_pdu_size = cpu_to_le16(size);
3541 chan->remote_mps = size;
3543 set_bit(CONF_MODE_DONE, &chan->conf_state);
3545 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3546 (unsigned long) &rfc, endptr - ptr);
3551 result = L2CAP_CONF_UNACCEPT;
3553 memset(&rfc, 0, sizeof(rfc));
3554 rfc.mode = chan->mode;
3557 if (result == L2CAP_CONF_SUCCESS)
3558 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3560 rsp->scid = cpu_to_le16(chan->dcid);
3561 rsp->result = cpu_to_le16(result);
3562 rsp->flags = cpu_to_le16(0);
3567 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3568 void *data, size_t size, u16 *result)
3570 struct l2cap_conf_req *req = data;
3571 void *ptr = req->data;
3572 void *endptr = data + size;
3575 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3576 struct l2cap_conf_efs efs;
3578 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3580 while (len >= L2CAP_CONF_OPT_SIZE) {
3581 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3586 case L2CAP_CONF_MTU:
3589 if (val < L2CAP_DEFAULT_MIN_MTU) {
3590 *result = L2CAP_CONF_UNACCEPT;
3591 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3594 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3598 case L2CAP_CONF_FLUSH_TO:
3601 chan->flush_to = val;
3602 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3603 chan->flush_to, endptr - ptr);
3606 case L2CAP_CONF_RFC:
3607 if (olen != sizeof(rfc))
3609 memcpy(&rfc, (void *)val, olen);
3610 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3611 rfc.mode != chan->mode)
3612 return -ECONNREFUSED;
3614 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3615 (unsigned long) &rfc, endptr - ptr);
3618 case L2CAP_CONF_EWS:
3621 chan->ack_win = min_t(u16, val, chan->ack_win);
3622 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3623 chan->tx_win, endptr - ptr);
3626 case L2CAP_CONF_EFS:
3627 if (olen != sizeof(efs))
3629 memcpy(&efs, (void *)val, olen);
3630 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3631 efs.stype != L2CAP_SERV_NOTRAFIC &&
3632 efs.stype != chan->local_stype)
3633 return -ECONNREFUSED;
3634 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3635 (unsigned long) &efs, endptr - ptr);
3638 case L2CAP_CONF_FCS:
3641 if (*result == L2CAP_CONF_PENDING)
3642 if (val == L2CAP_FCS_NONE)
3643 set_bit(CONF_RECV_NO_FCS,
3649 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3650 return -ECONNREFUSED;
3652 chan->mode = rfc.mode;
3654 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3656 case L2CAP_MODE_ERTM:
3657 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3658 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3659 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3660 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3661 chan->ack_win = min_t(u16, chan->ack_win,
3664 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3665 chan->local_msdu = le16_to_cpu(efs.msdu);
3666 chan->local_sdu_itime =
3667 le32_to_cpu(efs.sdu_itime);
3668 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3669 chan->local_flush_to =
3670 le32_to_cpu(efs.flush_to);
3674 case L2CAP_MODE_STREAMING:
3675 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3679 req->dcid = cpu_to_le16(chan->dcid);
3680 req->flags = cpu_to_le16(0);
3685 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3686 u16 result, u16 flags)
3688 struct l2cap_conf_rsp *rsp = data;
3689 void *ptr = rsp->data;
3691 BT_DBG("chan %p", chan);
3693 rsp->scid = cpu_to_le16(chan->dcid);
3694 rsp->result = cpu_to_le16(result);
3695 rsp->flags = cpu_to_le16(flags);
3700 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3702 struct l2cap_le_conn_rsp rsp;
3703 struct l2cap_conn *conn = chan->conn;
3705 BT_DBG("chan %p", chan);
3707 rsp.dcid = cpu_to_le16(chan->scid);
3708 rsp.mtu = cpu_to_le16(chan->imtu);
3709 rsp.mps = cpu_to_le16(chan->mps);
3710 rsp.credits = cpu_to_le16(chan->rx_credits);
3711 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3713 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3717 static void l2cap_ecred_list_defer(struct l2cap_chan *chan, void *data)
3721 if (*result || test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
3724 switch (chan->state) {
3726 /* If channel still pending accept add to result */
3732 /* If not connected or pending accept it has been refused */
3733 *result = -ECONNREFUSED;
3738 struct l2cap_ecred_rsp_data {
3740 struct l2cap_ecred_conn_rsp rsp;
3741 __le16 scid[L2CAP_ECRED_MAX_CID];
3746 static void l2cap_ecred_rsp_defer(struct l2cap_chan *chan, void *data)
3748 struct l2cap_ecred_rsp_data *rsp = data;
3750 if (test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
3753 /* Reset ident so only one response is sent */
3756 /* Include all channels pending with the same ident */
3757 if (!rsp->pdu.rsp.result)
3758 rsp->pdu.rsp.dcid[rsp->count++] = cpu_to_le16(chan->scid);
3760 l2cap_chan_del(chan, ECONNRESET);
3763 void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
3765 struct l2cap_conn *conn = chan->conn;
3766 struct l2cap_ecred_rsp_data data;
3767 u16 id = chan->ident;
3773 BT_DBG("chan %p id %d", chan, id);
3775 memset(&data, 0, sizeof(data));
3777 data.pdu.rsp.mtu = cpu_to_le16(chan->imtu);
3778 data.pdu.rsp.mps = cpu_to_le16(chan->mps);
3779 data.pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
3780 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3782 /* Verify that all channels are ready */
3783 __l2cap_chan_list_id(conn, id, l2cap_ecred_list_defer, &result);
3789 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_AUTHORIZATION);
3791 /* Build response */
3792 __l2cap_chan_list_id(conn, id, l2cap_ecred_rsp_defer, &data);
3794 l2cap_send_cmd(conn, id, L2CAP_ECRED_CONN_RSP,
3795 sizeof(data.pdu.rsp) + (data.count * sizeof(__le16)),
3799 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3801 struct l2cap_conn_rsp rsp;
3802 struct l2cap_conn *conn = chan->conn;
3806 rsp.scid = cpu_to_le16(chan->dcid);
3807 rsp.dcid = cpu_to_le16(chan->scid);
3808 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3809 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3810 rsp_code = L2CAP_CONN_RSP;
3812 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3814 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3816 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3819 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3820 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3821 chan->num_conf_req++;
3824 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3828 /* Use sane default values in case a misbehaving remote device
3829 * did not send an RFC or extended window size option.
3831 u16 txwin_ext = chan->ack_win;
3832 struct l2cap_conf_rfc rfc = {
3834 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3835 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3836 .max_pdu_size = cpu_to_le16(chan->imtu),
3837 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3840 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3842 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3845 while (len >= L2CAP_CONF_OPT_SIZE) {
3846 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3851 case L2CAP_CONF_RFC:
3852 if (olen != sizeof(rfc))
3854 memcpy(&rfc, (void *)val, olen);
3856 case L2CAP_CONF_EWS:
3865 case L2CAP_MODE_ERTM:
3866 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3867 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3868 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3869 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3870 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3872 chan->ack_win = min_t(u16, chan->ack_win,
3875 case L2CAP_MODE_STREAMING:
3876 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3880 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3881 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3884 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3886 if (cmd_len < sizeof(*rej))
3889 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3892 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3893 cmd->ident == conn->info_ident) {
3894 cancel_delayed_work(&conn->info_timer);
3896 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3897 conn->info_ident = 0;
3899 l2cap_conn_start(conn);
3905 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3906 struct l2cap_cmd_hdr *cmd,
3907 u8 *data, u8 rsp_code, u8 amp_id)
3909 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3910 struct l2cap_conn_rsp rsp;
3911 struct l2cap_chan *chan = NULL, *pchan;
3912 int result, status = L2CAP_CS_NO_INFO;
3914 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3915 __le16 psm = req->psm;
3917 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3919 /* Check if we have socket listening on psm */
3920 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3921 &conn->hcon->dst, ACL_LINK);
3923 result = L2CAP_CR_BAD_PSM;
3927 mutex_lock(&conn->chan_lock);
3928 l2cap_chan_lock(pchan);
3930 /* Check if the ACL is secure enough (if not SDP) */
3931 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3932 !hci_conn_check_link_mode(conn->hcon)) {
3933 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3934 result = L2CAP_CR_SEC_BLOCK;
3938 result = L2CAP_CR_NO_MEM;
3940 /* Check for valid dynamic CID range (as per Erratum 3253) */
3941 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
3942 result = L2CAP_CR_INVALID_SCID;
3946 /* Check if we already have channel with that dcid */
3947 if (__l2cap_get_chan_by_dcid(conn, scid)) {
3948 result = L2CAP_CR_SCID_IN_USE;
3952 chan = pchan->ops->new_connection(pchan);
3956 /* For certain devices (ex: HID mouse), support for authentication,
3957 * pairing and bonding is optional. For such devices, inorder to avoid
3958 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3959 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3961 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3963 bacpy(&chan->src, &conn->hcon->src);
3964 bacpy(&chan->dst, &conn->hcon->dst);
3965 chan->src_type = bdaddr_src_type(conn->hcon);
3966 chan->dst_type = bdaddr_dst_type(conn->hcon);
3970 __l2cap_chan_add(conn, chan);
3974 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3976 chan->ident = cmd->ident;
3978 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3979 if (l2cap_chan_check_security(chan, false)) {
3980 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3981 l2cap_state_change(chan, BT_CONNECT2);
3982 result = L2CAP_CR_PEND;
3983 status = L2CAP_CS_AUTHOR_PEND;
3984 chan->ops->defer(chan);
3986 /* Force pending result for AMP controllers.
3987 * The connection will succeed after the
3988 * physical link is up.
3990 if (amp_id == AMP_ID_BREDR) {
3991 l2cap_state_change(chan, BT_CONFIG);
3992 result = L2CAP_CR_SUCCESS;
3994 l2cap_state_change(chan, BT_CONNECT2);
3995 result = L2CAP_CR_PEND;
3997 status = L2CAP_CS_NO_INFO;
4000 l2cap_state_change(chan, BT_CONNECT2);
4001 result = L2CAP_CR_PEND;
4002 status = L2CAP_CS_AUTHEN_PEND;
4005 l2cap_state_change(chan, BT_CONNECT2);
4006 result = L2CAP_CR_PEND;
4007 status = L2CAP_CS_NO_INFO;
4011 l2cap_chan_unlock(pchan);
4012 mutex_unlock(&conn->chan_lock);
4013 l2cap_chan_put(pchan);
4016 rsp.scid = cpu_to_le16(scid);
4017 rsp.dcid = cpu_to_le16(dcid);
4018 rsp.result = cpu_to_le16(result);
4019 rsp.status = cpu_to_le16(status);
4020 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4022 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4023 struct l2cap_info_req info;
4024 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4026 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4027 conn->info_ident = l2cap_get_ident(conn);
4029 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4031 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4032 sizeof(info), &info);
4035 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4036 result == L2CAP_CR_SUCCESS) {
4038 set_bit(CONF_REQ_SENT, &chan->conf_state);
4039 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4040 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4041 chan->num_conf_req++;
4047 static int l2cap_connect_req(struct l2cap_conn *conn,
4048 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4050 struct hci_dev *hdev = conn->hcon->hdev;
4051 struct hci_conn *hcon = conn->hcon;
4053 if (cmd_len < sizeof(struct l2cap_conn_req))
4057 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
4058 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
4059 mgmt_device_connected(hdev, hcon, NULL, 0);
4060 hci_dev_unlock(hdev);
4062 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
4066 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4067 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4070 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4071 u16 scid, dcid, result, status;
4072 struct l2cap_chan *chan;
4076 if (cmd_len < sizeof(*rsp))
4079 scid = __le16_to_cpu(rsp->scid);
4080 dcid = __le16_to_cpu(rsp->dcid);
4081 result = __le16_to_cpu(rsp->result);
4082 status = __le16_to_cpu(rsp->status);
4084 if (result == L2CAP_CR_SUCCESS && (dcid < L2CAP_CID_DYN_START ||
4085 dcid > L2CAP_CID_DYN_END))
4088 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4089 dcid, scid, result, status);
4091 mutex_lock(&conn->chan_lock);
4094 chan = __l2cap_get_chan_by_scid(conn, scid);
4100 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4107 chan = l2cap_chan_hold_unless_zero(chan);
4115 l2cap_chan_lock(chan);
4118 case L2CAP_CR_SUCCESS:
4119 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
4124 l2cap_state_change(chan, BT_CONFIG);
4127 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4129 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4132 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4133 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4134 chan->num_conf_req++;
4138 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4142 l2cap_chan_del(chan, ECONNREFUSED);
4146 l2cap_chan_unlock(chan);
4147 l2cap_chan_put(chan);
4150 mutex_unlock(&conn->chan_lock);
4155 static inline void set_default_fcs(struct l2cap_chan *chan)
4157 /* FCS is enabled only in ERTM or streaming mode, if one or both
4160 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4161 chan->fcs = L2CAP_FCS_NONE;
4162 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4163 chan->fcs = L2CAP_FCS_CRC16;
4166 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4167 u8 ident, u16 flags)
4169 struct l2cap_conn *conn = chan->conn;
4171 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4174 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4175 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4177 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4178 l2cap_build_conf_rsp(chan, data,
4179 L2CAP_CONF_SUCCESS, flags), data);
4182 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4185 struct l2cap_cmd_rej_cid rej;
4187 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4188 rej.scid = __cpu_to_le16(scid);
4189 rej.dcid = __cpu_to_le16(dcid);
4191 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4194 static inline int l2cap_config_req(struct l2cap_conn *conn,
4195 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4198 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4201 struct l2cap_chan *chan;
4204 if (cmd_len < sizeof(*req))
4207 dcid = __le16_to_cpu(req->dcid);
4208 flags = __le16_to_cpu(req->flags);
4210 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4212 chan = l2cap_get_chan_by_scid(conn, dcid);
4214 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4218 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
4219 chan->state != BT_CONNECTED) {
4220 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4225 /* Reject if config buffer is too small. */
4226 len = cmd_len - sizeof(*req);
4227 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4228 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4229 l2cap_build_conf_rsp(chan, rsp,
4230 L2CAP_CONF_REJECT, flags), rsp);
4235 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4236 chan->conf_len += len;
4238 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4239 /* Incomplete config. Send empty response. */
4240 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4241 l2cap_build_conf_rsp(chan, rsp,
4242 L2CAP_CONF_SUCCESS, flags), rsp);
4246 /* Complete config. */
4247 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4249 l2cap_send_disconn_req(chan, ECONNRESET);
4253 chan->ident = cmd->ident;
4254 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4255 if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP)
4256 chan->num_conf_rsp++;
4258 /* Reset config buffer. */
4261 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4264 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4265 set_default_fcs(chan);
4267 if (chan->mode == L2CAP_MODE_ERTM ||
4268 chan->mode == L2CAP_MODE_STREAMING)
4269 err = l2cap_ertm_init(chan);
4272 l2cap_send_disconn_req(chan, -err);
4274 l2cap_chan_ready(chan);
4279 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4281 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4282 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4283 chan->num_conf_req++;
4286 /* Got Conf Rsp PENDING from remote side and assume we sent
4287 Conf Rsp PENDING in the code above */
4288 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4289 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4291 /* check compatibility */
4293 /* Send rsp for BR/EDR channel */
4294 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4298 l2cap_chan_unlock(chan);
4299 l2cap_chan_put(chan);
4303 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4304 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4307 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4308 u16 scid, flags, result;
4309 struct l2cap_chan *chan;
4310 int len = cmd_len - sizeof(*rsp);
4313 if (cmd_len < sizeof(*rsp))
4316 scid = __le16_to_cpu(rsp->scid);
4317 flags = __le16_to_cpu(rsp->flags);
4318 result = __le16_to_cpu(rsp->result);
4320 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4323 chan = l2cap_get_chan_by_scid(conn, scid);
4328 case L2CAP_CONF_SUCCESS:
4329 l2cap_conf_rfc_get(chan, rsp->data, len);
4330 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4333 case L2CAP_CONF_PENDING:
4334 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4336 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4339 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4340 buf, sizeof(buf), &result);
4342 l2cap_send_disconn_req(chan, ECONNRESET);
4346 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident, 0);
4350 case L2CAP_CONF_UNKNOWN:
4351 case L2CAP_CONF_UNACCEPT:
4352 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4355 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4356 l2cap_send_disconn_req(chan, ECONNRESET);
4360 /* throw out any old stored conf requests */
4361 result = L2CAP_CONF_SUCCESS;
4362 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4363 req, sizeof(req), &result);
4365 l2cap_send_disconn_req(chan, ECONNRESET);
4369 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4370 L2CAP_CONF_REQ, len, req);
4371 chan->num_conf_req++;
4372 if (result != L2CAP_CONF_SUCCESS)
4379 l2cap_chan_set_err(chan, ECONNRESET);
4381 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4382 l2cap_send_disconn_req(chan, ECONNRESET);
4386 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4389 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4391 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4392 set_default_fcs(chan);
4394 if (chan->mode == L2CAP_MODE_ERTM ||
4395 chan->mode == L2CAP_MODE_STREAMING)
4396 err = l2cap_ertm_init(chan);
4399 l2cap_send_disconn_req(chan, -err);
4401 l2cap_chan_ready(chan);
4405 l2cap_chan_unlock(chan);
4406 l2cap_chan_put(chan);
4410 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4411 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4414 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4415 struct l2cap_disconn_rsp rsp;
4417 struct l2cap_chan *chan;
4419 if (cmd_len != sizeof(*req))
4422 scid = __le16_to_cpu(req->scid);
4423 dcid = __le16_to_cpu(req->dcid);
4425 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4427 chan = l2cap_get_chan_by_scid(conn, dcid);
4429 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4433 rsp.dcid = cpu_to_le16(chan->scid);
4434 rsp.scid = cpu_to_le16(chan->dcid);
4435 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4437 chan->ops->set_shutdown(chan);
4439 l2cap_chan_unlock(chan);
4440 mutex_lock(&conn->chan_lock);
4441 l2cap_chan_lock(chan);
4442 l2cap_chan_del(chan, ECONNRESET);
4443 mutex_unlock(&conn->chan_lock);
4445 chan->ops->close(chan);
4447 l2cap_chan_unlock(chan);
4448 l2cap_chan_put(chan);
4453 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4454 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4457 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4459 struct l2cap_chan *chan;
4461 if (cmd_len != sizeof(*rsp))
4464 scid = __le16_to_cpu(rsp->scid);
4465 dcid = __le16_to_cpu(rsp->dcid);
4467 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4469 chan = l2cap_get_chan_by_scid(conn, scid);
4474 if (chan->state != BT_DISCONN) {
4475 l2cap_chan_unlock(chan);
4476 l2cap_chan_put(chan);
4480 l2cap_chan_unlock(chan);
4481 mutex_lock(&conn->chan_lock);
4482 l2cap_chan_lock(chan);
4483 l2cap_chan_del(chan, 0);
4484 mutex_unlock(&conn->chan_lock);
4486 chan->ops->close(chan);
4488 l2cap_chan_unlock(chan);
4489 l2cap_chan_put(chan);
4494 static inline int l2cap_information_req(struct l2cap_conn *conn,
4495 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4498 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4501 if (cmd_len != sizeof(*req))
4504 type = __le16_to_cpu(req->type);
4506 BT_DBG("type 0x%4.4x", type);
4508 if (type == L2CAP_IT_FEAT_MASK) {
4510 u32 feat_mask = l2cap_feat_mask;
4511 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4512 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4513 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4515 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4518 put_unaligned_le32(feat_mask, rsp->data);
4519 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4521 } else if (type == L2CAP_IT_FIXED_CHAN) {
4523 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4525 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4526 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4527 rsp->data[0] = conn->local_fixed_chan;
4528 memset(rsp->data + 1, 0, 7);
4529 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4532 struct l2cap_info_rsp rsp;
4533 rsp.type = cpu_to_le16(type);
4534 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4535 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4542 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4543 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4546 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4549 if (cmd_len < sizeof(*rsp))
4552 type = __le16_to_cpu(rsp->type);
4553 result = __le16_to_cpu(rsp->result);
4555 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4557 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4558 if (cmd->ident != conn->info_ident ||
4559 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4562 cancel_delayed_work(&conn->info_timer);
4564 if (result != L2CAP_IR_SUCCESS) {
4565 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4566 conn->info_ident = 0;
4568 l2cap_conn_start(conn);
4574 case L2CAP_IT_FEAT_MASK:
4575 conn->feat_mask = get_unaligned_le32(rsp->data);
4577 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4578 struct l2cap_info_req req;
4579 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4581 conn->info_ident = l2cap_get_ident(conn);
4583 l2cap_send_cmd(conn, conn->info_ident,
4584 L2CAP_INFO_REQ, sizeof(req), &req);
4586 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4587 conn->info_ident = 0;
4589 l2cap_conn_start(conn);
4593 case L2CAP_IT_FIXED_CHAN:
4594 conn->remote_fixed_chan = rsp->data[0];
4595 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4596 conn->info_ident = 0;
4598 l2cap_conn_start(conn);
4605 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4606 struct l2cap_cmd_hdr *cmd,
4607 u16 cmd_len, u8 *data)
4609 struct hci_conn *hcon = conn->hcon;
4610 struct l2cap_conn_param_update_req *req;
4611 struct l2cap_conn_param_update_rsp rsp;
4612 u16 min, max, latency, to_multiplier;
4615 if (hcon->role != HCI_ROLE_MASTER)
4618 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4621 req = (struct l2cap_conn_param_update_req *) data;
4622 min = __le16_to_cpu(req->min);
4623 max = __le16_to_cpu(req->max);
4624 latency = __le16_to_cpu(req->latency);
4625 to_multiplier = __le16_to_cpu(req->to_multiplier);
4627 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4628 min, max, latency, to_multiplier);
4630 memset(&rsp, 0, sizeof(rsp));
4632 if (max > hcon->le_conn_max_interval) {
4633 BT_DBG("requested connection interval exceeds current bounds.");
4636 err = hci_check_conn_params(min, max, latency, to_multiplier);
4640 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
4642 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
4644 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4650 store_hint = hci_le_conn_update(hcon, min, max, latency,
4652 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
4653 store_hint, min, max, latency,
4661 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
4662 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4665 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
4666 struct hci_conn *hcon = conn->hcon;
4667 u16 dcid, mtu, mps, credits, result;
4668 struct l2cap_chan *chan;
4671 if (cmd_len < sizeof(*rsp))
4674 dcid = __le16_to_cpu(rsp->dcid);
4675 mtu = __le16_to_cpu(rsp->mtu);
4676 mps = __le16_to_cpu(rsp->mps);
4677 credits = __le16_to_cpu(rsp->credits);
4678 result = __le16_to_cpu(rsp->result);
4680 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
4681 dcid < L2CAP_CID_DYN_START ||
4682 dcid > L2CAP_CID_LE_DYN_END))
4685 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
4686 dcid, mtu, mps, credits, result);
4688 mutex_lock(&conn->chan_lock);
4690 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4698 l2cap_chan_lock(chan);
4701 case L2CAP_CR_LE_SUCCESS:
4702 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
4710 chan->remote_mps = mps;
4711 chan->tx_credits = credits;
4712 l2cap_chan_ready(chan);
4715 case L2CAP_CR_LE_AUTHENTICATION:
4716 case L2CAP_CR_LE_ENCRYPTION:
4717 /* If we already have MITM protection we can't do
4720 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
4721 l2cap_chan_del(chan, ECONNREFUSED);
4725 sec_level = hcon->sec_level + 1;
4726 if (chan->sec_level < sec_level)
4727 chan->sec_level = sec_level;
4729 /* We'll need to send a new Connect Request */
4730 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
4732 smp_conn_security(hcon, chan->sec_level);
4736 l2cap_chan_del(chan, ECONNREFUSED);
4740 l2cap_chan_unlock(chan);
4743 mutex_unlock(&conn->chan_lock);
4748 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4749 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4754 switch (cmd->code) {
4755 case L2CAP_COMMAND_REJ:
4756 l2cap_command_rej(conn, cmd, cmd_len, data);
4759 case L2CAP_CONN_REQ:
4760 err = l2cap_connect_req(conn, cmd, cmd_len, data);
4763 case L2CAP_CONN_RSP:
4764 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
4767 case L2CAP_CONF_REQ:
4768 err = l2cap_config_req(conn, cmd, cmd_len, data);
4771 case L2CAP_CONF_RSP:
4772 l2cap_config_rsp(conn, cmd, cmd_len, data);
4775 case L2CAP_DISCONN_REQ:
4776 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
4779 case L2CAP_DISCONN_RSP:
4780 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
4783 case L2CAP_ECHO_REQ:
4784 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4787 case L2CAP_ECHO_RSP:
4790 case L2CAP_INFO_REQ:
4791 err = l2cap_information_req(conn, cmd, cmd_len, data);
4794 case L2CAP_INFO_RSP:
4795 l2cap_information_rsp(conn, cmd, cmd_len, data);
4799 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4807 static int l2cap_le_connect_req(struct l2cap_conn *conn,
4808 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4811 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
4812 struct l2cap_le_conn_rsp rsp;
4813 struct l2cap_chan *chan, *pchan;
4814 u16 dcid, scid, credits, mtu, mps;
4818 if (cmd_len != sizeof(*req))
4821 scid = __le16_to_cpu(req->scid);
4822 mtu = __le16_to_cpu(req->mtu);
4823 mps = __le16_to_cpu(req->mps);
4828 if (mtu < 23 || mps < 23)
4831 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
4834 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
4837 * Valid range: 0x0001-0x00ff
4839 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
4841 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
4842 result = L2CAP_CR_LE_BAD_PSM;
4847 /* Check if we have socket listening on psm */
4848 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
4849 &conn->hcon->dst, LE_LINK);
4851 result = L2CAP_CR_LE_BAD_PSM;
4856 mutex_lock(&conn->chan_lock);
4857 l2cap_chan_lock(pchan);
4859 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
4861 result = L2CAP_CR_LE_AUTHENTICATION;
4863 goto response_unlock;
4866 /* Check for valid dynamic CID range */
4867 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
4868 result = L2CAP_CR_LE_INVALID_SCID;
4870 goto response_unlock;
4873 /* Check if we already have channel with that dcid */
4874 if (__l2cap_get_chan_by_dcid(conn, scid)) {
4875 result = L2CAP_CR_LE_SCID_IN_USE;
4877 goto response_unlock;
4880 chan = pchan->ops->new_connection(pchan);
4882 result = L2CAP_CR_LE_NO_MEM;
4883 goto response_unlock;
4886 bacpy(&chan->src, &conn->hcon->src);
4887 bacpy(&chan->dst, &conn->hcon->dst);
4888 chan->src_type = bdaddr_src_type(conn->hcon);
4889 chan->dst_type = bdaddr_dst_type(conn->hcon);
4893 chan->remote_mps = mps;
4895 __l2cap_chan_add(conn, chan);
4897 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
4900 credits = chan->rx_credits;
4902 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4904 chan->ident = cmd->ident;
4906 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4907 l2cap_state_change(chan, BT_CONNECT2);
4908 /* The following result value is actually not defined
4909 * for LE CoC but we use it to let the function know
4910 * that it should bail out after doing its cleanup
4911 * instead of sending a response.
4913 result = L2CAP_CR_PEND;
4914 chan->ops->defer(chan);
4916 l2cap_chan_ready(chan);
4917 result = L2CAP_CR_LE_SUCCESS;
4921 l2cap_chan_unlock(pchan);
4922 mutex_unlock(&conn->chan_lock);
4923 l2cap_chan_put(pchan);
4925 if (result == L2CAP_CR_PEND)
4930 rsp.mtu = cpu_to_le16(chan->imtu);
4931 rsp.mps = cpu_to_le16(chan->mps);
4937 rsp.dcid = cpu_to_le16(dcid);
4938 rsp.credits = cpu_to_le16(credits);
4939 rsp.result = cpu_to_le16(result);
4941 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
4946 static inline int l2cap_le_credits(struct l2cap_conn *conn,
4947 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4950 struct l2cap_le_credits *pkt;
4951 struct l2cap_chan *chan;
4952 u16 cid, credits, max_credits;
4954 if (cmd_len != sizeof(*pkt))
4957 pkt = (struct l2cap_le_credits *) data;
4958 cid = __le16_to_cpu(pkt->cid);
4959 credits = __le16_to_cpu(pkt->credits);
4961 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
4963 chan = l2cap_get_chan_by_dcid(conn, cid);
4967 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
4968 if (credits > max_credits) {
4969 BT_ERR("LE credits overflow");
4970 l2cap_send_disconn_req(chan, ECONNRESET);
4972 /* Return 0 so that we don't trigger an unnecessary
4973 * command reject packet.
4978 chan->tx_credits += credits;
4980 /* Resume sending */
4981 l2cap_le_flowctl_send(chan);
4983 if (chan->tx_credits)
4984 chan->ops->resume(chan);
4987 l2cap_chan_unlock(chan);
4988 l2cap_chan_put(chan);
4993 static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
4994 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4997 struct l2cap_ecred_conn_req *req = (void *) data;
4999 struct l2cap_ecred_conn_rsp rsp;
5000 __le16 dcid[L2CAP_ECRED_MAX_CID];
5002 struct l2cap_chan *chan, *pchan;
5012 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) {
5013 result = L2CAP_CR_LE_INVALID_PARAMS;
5017 cmd_len -= sizeof(*req);
5018 num_scid = cmd_len / sizeof(u16);
5020 if (num_scid > ARRAY_SIZE(pdu.dcid)) {
5021 result = L2CAP_CR_LE_INVALID_PARAMS;
5025 mtu = __le16_to_cpu(req->mtu);
5026 mps = __le16_to_cpu(req->mps);
5028 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) {
5029 result = L2CAP_CR_LE_UNACCEPT_PARAMS;
5035 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
5038 * Valid range: 0x0001-0x00ff
5040 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
5042 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
5043 result = L2CAP_CR_LE_BAD_PSM;
5047 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
5049 memset(&pdu, 0, sizeof(pdu));
5051 /* Check if we have socket listening on psm */
5052 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5053 &conn->hcon->dst, LE_LINK);
5055 result = L2CAP_CR_LE_BAD_PSM;
5059 mutex_lock(&conn->chan_lock);
5060 l2cap_chan_lock(pchan);
5062 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5064 result = L2CAP_CR_LE_AUTHENTICATION;
5068 result = L2CAP_CR_LE_SUCCESS;
5070 for (i = 0; i < num_scid; i++) {
5071 u16 scid = __le16_to_cpu(req->scid[i]);
5073 BT_DBG("scid[%d] 0x%4.4x", i, scid);
5075 pdu.dcid[i] = 0x0000;
5076 len += sizeof(*pdu.dcid);
5078 /* Check for valid dynamic CID range */
5079 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5080 result = L2CAP_CR_LE_INVALID_SCID;
5084 /* Check if we already have channel with that dcid */
5085 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5086 result = L2CAP_CR_LE_SCID_IN_USE;
5090 chan = pchan->ops->new_connection(pchan);
5092 result = L2CAP_CR_LE_NO_MEM;
5096 bacpy(&chan->src, &conn->hcon->src);
5097 bacpy(&chan->dst, &conn->hcon->dst);
5098 chan->src_type = bdaddr_src_type(conn->hcon);
5099 chan->dst_type = bdaddr_dst_type(conn->hcon);
5103 chan->remote_mps = mps;
5105 __l2cap_chan_add(conn, chan);
5107 l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
5110 if (!pdu.rsp.credits) {
5111 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
5112 pdu.rsp.mps = cpu_to_le16(chan->mps);
5113 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
5116 pdu.dcid[i] = cpu_to_le16(chan->scid);
5118 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5120 chan->ident = cmd->ident;
5121 chan->mode = L2CAP_MODE_EXT_FLOWCTL;
5123 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5124 l2cap_state_change(chan, BT_CONNECT2);
5126 chan->ops->defer(chan);
5128 l2cap_chan_ready(chan);
5133 l2cap_chan_unlock(pchan);
5134 mutex_unlock(&conn->chan_lock);
5135 l2cap_chan_put(pchan);
5138 pdu.rsp.result = cpu_to_le16(result);
5143 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP,
5144 sizeof(pdu.rsp) + len, &pdu);
5149 static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
5150 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5153 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
5154 struct hci_conn *hcon = conn->hcon;
5155 u16 mtu, mps, credits, result;
5156 struct l2cap_chan *chan, *tmp;
5157 int err = 0, sec_level;
5160 if (cmd_len < sizeof(*rsp))
5163 mtu = __le16_to_cpu(rsp->mtu);
5164 mps = __le16_to_cpu(rsp->mps);
5165 credits = __le16_to_cpu(rsp->credits);
5166 result = __le16_to_cpu(rsp->result);
5168 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits,
5171 mutex_lock(&conn->chan_lock);
5173 cmd_len -= sizeof(*rsp);
5175 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
5178 if (chan->ident != cmd->ident ||
5179 chan->mode != L2CAP_MODE_EXT_FLOWCTL ||
5180 chan->state == BT_CONNECTED)
5183 l2cap_chan_lock(chan);
5185 /* Check that there is a dcid for each pending channel */
5186 if (cmd_len < sizeof(dcid)) {
5187 l2cap_chan_del(chan, ECONNREFUSED);
5188 l2cap_chan_unlock(chan);
5192 dcid = __le16_to_cpu(rsp->dcid[i++]);
5193 cmd_len -= sizeof(u16);
5195 BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
5197 /* Check if dcid is already in use */
5198 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
5199 /* If a device receives a
5200 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
5201 * already-assigned Destination CID, then both the
5202 * original channel and the new channel shall be
5203 * immediately discarded and not used.
5205 l2cap_chan_del(chan, ECONNREFUSED);
5206 l2cap_chan_unlock(chan);
5207 chan = __l2cap_get_chan_by_dcid(conn, dcid);
5208 l2cap_chan_lock(chan);
5209 l2cap_chan_del(chan, ECONNRESET);
5210 l2cap_chan_unlock(chan);
5215 case L2CAP_CR_LE_AUTHENTICATION:
5216 case L2CAP_CR_LE_ENCRYPTION:
5217 /* If we already have MITM protection we can't do
5220 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5221 l2cap_chan_del(chan, ECONNREFUSED);
5225 sec_level = hcon->sec_level + 1;
5226 if (chan->sec_level < sec_level)
5227 chan->sec_level = sec_level;
5229 /* We'll need to send a new Connect Request */
5230 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags);
5232 smp_conn_security(hcon, chan->sec_level);
5235 case L2CAP_CR_LE_BAD_PSM:
5236 l2cap_chan_del(chan, ECONNREFUSED);
5240 /* If dcid was not set it means channels was refused */
5242 l2cap_chan_del(chan, ECONNREFUSED);
5249 chan->remote_mps = mps;
5250 chan->tx_credits = credits;
5251 l2cap_chan_ready(chan);
5255 l2cap_chan_unlock(chan);
5258 mutex_unlock(&conn->chan_lock);
5263 static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn,
5264 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5267 struct l2cap_ecred_reconf_req *req = (void *) data;
5268 struct l2cap_ecred_reconf_rsp rsp;
5269 u16 mtu, mps, result;
5270 struct l2cap_chan *chan;
5276 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
5277 result = L2CAP_CR_LE_INVALID_PARAMS;
5281 mtu = __le16_to_cpu(req->mtu);
5282 mps = __le16_to_cpu(req->mps);
5284 BT_DBG("mtu %u mps %u", mtu, mps);
5286 if (mtu < L2CAP_ECRED_MIN_MTU) {
5287 result = L2CAP_RECONF_INVALID_MTU;
5291 if (mps < L2CAP_ECRED_MIN_MPS) {
5292 result = L2CAP_RECONF_INVALID_MPS;
5296 cmd_len -= sizeof(*req);
5297 num_scid = cmd_len / sizeof(u16);
5298 result = L2CAP_RECONF_SUCCESS;
5300 for (i = 0; i < num_scid; i++) {
5303 scid = __le16_to_cpu(req->scid[i]);
5307 chan = __l2cap_get_chan_by_dcid(conn, scid);
5311 /* If the MTU value is decreased for any of the included
5312 * channels, then the receiver shall disconnect all
5313 * included channels.
5315 if (chan->omtu > mtu) {
5316 BT_ERR("chan %p decreased MTU %u -> %u", chan,
5318 result = L2CAP_RECONF_INVALID_MTU;
5322 chan->remote_mps = mps;
5326 rsp.result = cpu_to_le16(result);
5328 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp),
5334 static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
5335 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5338 struct l2cap_chan *chan, *tmp;
5339 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
5342 if (cmd_len < sizeof(*rsp))
5345 result = __le16_to_cpu(rsp->result);
5347 BT_DBG("result 0x%4.4x", rsp->result);
5352 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
5353 if (chan->ident != cmd->ident)
5356 l2cap_chan_del(chan, ECONNRESET);
5362 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5363 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5366 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5367 struct l2cap_chan *chan;
5369 if (cmd_len < sizeof(*rej))
5372 mutex_lock(&conn->chan_lock);
5374 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5378 chan = l2cap_chan_hold_unless_zero(chan);
5382 l2cap_chan_lock(chan);
5383 l2cap_chan_del(chan, ECONNREFUSED);
5384 l2cap_chan_unlock(chan);
5385 l2cap_chan_put(chan);
5388 mutex_unlock(&conn->chan_lock);
5392 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5393 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5398 switch (cmd->code) {
5399 case L2CAP_COMMAND_REJ:
5400 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5403 case L2CAP_CONN_PARAM_UPDATE_REQ:
5404 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5407 case L2CAP_CONN_PARAM_UPDATE_RSP:
5410 case L2CAP_LE_CONN_RSP:
5411 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5414 case L2CAP_LE_CONN_REQ:
5415 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5418 case L2CAP_LE_CREDITS:
5419 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5422 case L2CAP_ECRED_CONN_REQ:
5423 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data);
5426 case L2CAP_ECRED_CONN_RSP:
5427 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data);
5430 case L2CAP_ECRED_RECONF_REQ:
5431 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data);
5434 case L2CAP_ECRED_RECONF_RSP:
5435 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data);
5438 case L2CAP_DISCONN_REQ:
5439 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5442 case L2CAP_DISCONN_RSP:
5443 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5447 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5455 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5456 struct sk_buff *skb)
5458 struct hci_conn *hcon = conn->hcon;
5459 struct l2cap_cmd_hdr *cmd;
5463 if (hcon->type != LE_LINK)
5466 if (skb->len < L2CAP_CMD_HDR_SIZE)
5469 cmd = (void *) skb->data;
5470 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5472 len = le16_to_cpu(cmd->len);
5474 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5476 if (len != skb->len || !cmd->ident) {
5477 BT_DBG("corrupted command");
5481 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5483 struct l2cap_cmd_rej_unk rej;
5485 BT_ERR("Wrong link type (%d)", err);
5487 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5488 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5496 static inline void l2cap_sig_send_rej(struct l2cap_conn *conn, u16 ident)
5498 struct l2cap_cmd_rej_unk rej;
5500 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5501 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
5504 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5505 struct sk_buff *skb)
5507 struct hci_conn *hcon = conn->hcon;
5508 struct l2cap_cmd_hdr *cmd;
5511 l2cap_raw_recv(conn, skb);
5513 if (hcon->type != ACL_LINK)
5516 while (skb->len >= L2CAP_CMD_HDR_SIZE) {
5519 cmd = (void *) skb->data;
5520 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5522 len = le16_to_cpu(cmd->len);
5524 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
5527 if (len > skb->len || !cmd->ident) {
5528 BT_DBG("corrupted command");
5529 l2cap_sig_send_rej(conn, cmd->ident);
5530 skb_pull(skb, len > skb->len ? skb->len : len);
5534 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
5536 BT_ERR("Wrong link type (%d)", err);
5537 l2cap_sig_send_rej(conn, cmd->ident);
5544 BT_DBG("corrupted command");
5545 l2cap_sig_send_rej(conn, 0);
5552 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5554 u16 our_fcs, rcv_fcs;
5557 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5558 hdr_size = L2CAP_EXT_HDR_SIZE;
5560 hdr_size = L2CAP_ENH_HDR_SIZE;
5562 if (chan->fcs == L2CAP_FCS_CRC16) {
5563 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5564 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5565 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5567 if (our_fcs != rcv_fcs)
5573 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5575 struct l2cap_ctrl control;
5577 BT_DBG("chan %p", chan);
5579 memset(&control, 0, sizeof(control));
5582 control.reqseq = chan->buffer_seq;
5583 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5585 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5586 control.super = L2CAP_SUPER_RNR;
5587 l2cap_send_sframe(chan, &control);
5590 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5591 chan->unacked_frames > 0)
5592 __set_retrans_timer(chan);
5594 /* Send pending iframes */
5595 l2cap_ertm_send(chan);
5597 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5598 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5599 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5602 control.super = L2CAP_SUPER_RR;
5603 l2cap_send_sframe(chan, &control);
5607 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5608 struct sk_buff **last_frag)
5610 /* skb->len reflects data in skb as well as all fragments
5611 * skb->data_len reflects only data in fragments
5613 if (!skb_has_frag_list(skb))
5614 skb_shinfo(skb)->frag_list = new_frag;
5616 new_frag->next = NULL;
5618 (*last_frag)->next = new_frag;
5619 *last_frag = new_frag;
5621 skb->len += new_frag->len;
5622 skb->data_len += new_frag->len;
5623 skb->truesize += new_frag->truesize;
5626 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5627 struct l2cap_ctrl *control)
5631 switch (control->sar) {
5632 case L2CAP_SAR_UNSEGMENTED:
5636 err = chan->ops->recv(chan, skb);
5639 case L2CAP_SAR_START:
5643 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5646 chan->sdu_len = get_unaligned_le16(skb->data);
5647 skb_pull(skb, L2CAP_SDULEN_SIZE);
5649 if (chan->sdu_len > chan->imtu) {
5654 if (skb->len >= chan->sdu_len)
5658 chan->sdu_last_frag = skb;
5664 case L2CAP_SAR_CONTINUE:
5668 append_skb_frag(chan->sdu, skb,
5669 &chan->sdu_last_frag);
5672 if (chan->sdu->len >= chan->sdu_len)
5682 append_skb_frag(chan->sdu, skb,
5683 &chan->sdu_last_frag);
5686 if (chan->sdu->len != chan->sdu_len)
5689 err = chan->ops->recv(chan, chan->sdu);
5692 /* Reassembly complete */
5694 chan->sdu_last_frag = NULL;
5702 kfree_skb(chan->sdu);
5704 chan->sdu_last_frag = NULL;
5711 static int l2cap_resegment(struct l2cap_chan *chan)
5717 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5721 if (chan->mode != L2CAP_MODE_ERTM)
5724 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5725 l2cap_tx(chan, NULL, NULL, event);
5728 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5731 /* Pass sequential frames to l2cap_reassemble_sdu()
5732 * until a gap is encountered.
5735 BT_DBG("chan %p", chan);
5737 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5738 struct sk_buff *skb;
5739 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5740 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5742 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5747 skb_unlink(skb, &chan->srej_q);
5748 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5749 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5754 if (skb_queue_empty(&chan->srej_q)) {
5755 chan->rx_state = L2CAP_RX_STATE_RECV;
5756 l2cap_send_ack(chan);
5762 static void l2cap_handle_srej(struct l2cap_chan *chan,
5763 struct l2cap_ctrl *control)
5765 struct sk_buff *skb;
5767 BT_DBG("chan %p, control %p", chan, control);
5769 if (control->reqseq == chan->next_tx_seq) {
5770 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5771 l2cap_send_disconn_req(chan, ECONNRESET);
5775 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5778 BT_DBG("Seq %d not available for retransmission",
5783 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5784 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5785 l2cap_send_disconn_req(chan, ECONNRESET);
5789 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5791 if (control->poll) {
5792 l2cap_pass_to_tx(chan, control);
5794 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5795 l2cap_retransmit(chan, control);
5796 l2cap_ertm_send(chan);
5798 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5799 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5800 chan->srej_save_reqseq = control->reqseq;
5803 l2cap_pass_to_tx_fbit(chan, control);
5805 if (control->final) {
5806 if (chan->srej_save_reqseq != control->reqseq ||
5807 !test_and_clear_bit(CONN_SREJ_ACT,
5809 l2cap_retransmit(chan, control);
5811 l2cap_retransmit(chan, control);
5812 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5813 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5814 chan->srej_save_reqseq = control->reqseq;
5820 static void l2cap_handle_rej(struct l2cap_chan *chan,
5821 struct l2cap_ctrl *control)
5823 struct sk_buff *skb;
5825 BT_DBG("chan %p, control %p", chan, control);
5827 if (control->reqseq == chan->next_tx_seq) {
5828 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5829 l2cap_send_disconn_req(chan, ECONNRESET);
5833 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5835 if (chan->max_tx && skb &&
5836 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5837 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5838 l2cap_send_disconn_req(chan, ECONNRESET);
5842 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5844 l2cap_pass_to_tx(chan, control);
5846 if (control->final) {
5847 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5848 l2cap_retransmit_all(chan, control);
5850 l2cap_retransmit_all(chan, control);
5851 l2cap_ertm_send(chan);
5852 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5853 set_bit(CONN_REJ_ACT, &chan->conn_state);
5857 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5859 BT_DBG("chan %p, txseq %d", chan, txseq);
5861 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5862 chan->expected_tx_seq);
5864 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5865 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5867 /* See notes below regarding "double poll" and
5870 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5871 BT_DBG("Invalid/Ignore - after SREJ");
5872 return L2CAP_TXSEQ_INVALID_IGNORE;
5874 BT_DBG("Invalid - in window after SREJ sent");
5875 return L2CAP_TXSEQ_INVALID;
5879 if (chan->srej_list.head == txseq) {
5880 BT_DBG("Expected SREJ");
5881 return L2CAP_TXSEQ_EXPECTED_SREJ;
5884 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5885 BT_DBG("Duplicate SREJ - txseq already stored");
5886 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5889 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5890 BT_DBG("Unexpected SREJ - not requested");
5891 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5895 if (chan->expected_tx_seq == txseq) {
5896 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5898 BT_DBG("Invalid - txseq outside tx window");
5899 return L2CAP_TXSEQ_INVALID;
5902 return L2CAP_TXSEQ_EXPECTED;
5906 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
5907 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
5908 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5909 return L2CAP_TXSEQ_DUPLICATE;
5912 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5913 /* A source of invalid packets is a "double poll" condition,
5914 * where delays cause us to send multiple poll packets. If
5915 * the remote stack receives and processes both polls,
5916 * sequence numbers can wrap around in such a way that a
5917 * resent frame has a sequence number that looks like new data
5918 * with a sequence gap. This would trigger an erroneous SREJ
5921 * Fortunately, this is impossible with a tx window that's
5922 * less than half of the maximum sequence number, which allows
5923 * invalid frames to be safely ignored.
5925 * With tx window sizes greater than half of the tx window
5926 * maximum, the frame is invalid and cannot be ignored. This
5927 * causes a disconnect.
5930 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5931 BT_DBG("Invalid/Ignore - txseq outside tx window");
5932 return L2CAP_TXSEQ_INVALID_IGNORE;
5934 BT_DBG("Invalid - txseq outside tx window");
5935 return L2CAP_TXSEQ_INVALID;
5938 BT_DBG("Unexpected - txseq indicates missing frames");
5939 return L2CAP_TXSEQ_UNEXPECTED;
5943 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5944 struct l2cap_ctrl *control,
5945 struct sk_buff *skb, u8 event)
5947 struct l2cap_ctrl local_control;
5949 bool skb_in_use = false;
5951 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5955 case L2CAP_EV_RECV_IFRAME:
5956 switch (l2cap_classify_txseq(chan, control->txseq)) {
5957 case L2CAP_TXSEQ_EXPECTED:
5958 l2cap_pass_to_tx(chan, control);
5960 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5961 BT_DBG("Busy, discarding expected seq %d",
5966 chan->expected_tx_seq = __next_seq(chan,
5969 chan->buffer_seq = chan->expected_tx_seq;
5972 /* l2cap_reassemble_sdu may free skb, hence invalidate
5973 * control, so make a copy in advance to use it after
5974 * l2cap_reassemble_sdu returns and to avoid the race
5975 * condition, for example:
5977 * The current thread calls:
5978 * l2cap_reassemble_sdu
5979 * chan->ops->recv == l2cap_sock_recv_cb
5980 * __sock_queue_rcv_skb
5981 * Another thread calls:
5985 * Then the current thread tries to access control, but
5986 * it was freed by skb_free_datagram.
5988 local_control = *control;
5989 err = l2cap_reassemble_sdu(chan, skb, control);
5993 if (local_control.final) {
5994 if (!test_and_clear_bit(CONN_REJ_ACT,
5995 &chan->conn_state)) {
5996 local_control.final = 0;
5997 l2cap_retransmit_all(chan, &local_control);
5998 l2cap_ertm_send(chan);
6002 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6003 l2cap_send_ack(chan);
6005 case L2CAP_TXSEQ_UNEXPECTED:
6006 l2cap_pass_to_tx(chan, control);
6008 /* Can't issue SREJ frames in the local busy state.
6009 * Drop this frame, it will be seen as missing
6010 * when local busy is exited.
6012 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6013 BT_DBG("Busy, discarding unexpected seq %d",
6018 /* There was a gap in the sequence, so an SREJ
6019 * must be sent for each missing frame. The
6020 * current frame is stored for later use.
6022 skb_queue_tail(&chan->srej_q, skb);
6024 BT_DBG("Queued %p (queue len %d)", skb,
6025 skb_queue_len(&chan->srej_q));
6027 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6028 l2cap_seq_list_clear(&chan->srej_list);
6029 l2cap_send_srej(chan, control->txseq);
6031 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6033 case L2CAP_TXSEQ_DUPLICATE:
6034 l2cap_pass_to_tx(chan, control);
6036 case L2CAP_TXSEQ_INVALID_IGNORE:
6038 case L2CAP_TXSEQ_INVALID:
6040 l2cap_send_disconn_req(chan, ECONNRESET);
6044 case L2CAP_EV_RECV_RR:
6045 l2cap_pass_to_tx(chan, control);
6046 if (control->final) {
6047 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6049 if (!test_and_clear_bit(CONN_REJ_ACT,
6050 &chan->conn_state)) {
6052 l2cap_retransmit_all(chan, control);
6055 l2cap_ertm_send(chan);
6056 } else if (control->poll) {
6057 l2cap_send_i_or_rr_or_rnr(chan);
6059 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6060 &chan->conn_state) &&
6061 chan->unacked_frames)
6062 __set_retrans_timer(chan);
6064 l2cap_ertm_send(chan);
6067 case L2CAP_EV_RECV_RNR:
6068 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6069 l2cap_pass_to_tx(chan, control);
6070 if (control && control->poll) {
6071 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6072 l2cap_send_rr_or_rnr(chan, 0);
6074 __clear_retrans_timer(chan);
6075 l2cap_seq_list_clear(&chan->retrans_list);
6077 case L2CAP_EV_RECV_REJ:
6078 l2cap_handle_rej(chan, control);
6080 case L2CAP_EV_RECV_SREJ:
6081 l2cap_handle_srej(chan, control);
6087 if (skb && !skb_in_use) {
6088 BT_DBG("Freeing %p", skb);
6095 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6096 struct l2cap_ctrl *control,
6097 struct sk_buff *skb, u8 event)
6100 u16 txseq = control->txseq;
6101 bool skb_in_use = false;
6103 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6107 case L2CAP_EV_RECV_IFRAME:
6108 switch (l2cap_classify_txseq(chan, txseq)) {
6109 case L2CAP_TXSEQ_EXPECTED:
6110 /* Keep frame for reassembly later */
6111 l2cap_pass_to_tx(chan, control);
6112 skb_queue_tail(&chan->srej_q, skb);
6114 BT_DBG("Queued %p (queue len %d)", skb,
6115 skb_queue_len(&chan->srej_q));
6117 chan->expected_tx_seq = __next_seq(chan, txseq);
6119 case L2CAP_TXSEQ_EXPECTED_SREJ:
6120 l2cap_seq_list_pop(&chan->srej_list);
6122 l2cap_pass_to_tx(chan, control);
6123 skb_queue_tail(&chan->srej_q, skb);
6125 BT_DBG("Queued %p (queue len %d)", skb,
6126 skb_queue_len(&chan->srej_q));
6128 err = l2cap_rx_queued_iframes(chan);
6133 case L2CAP_TXSEQ_UNEXPECTED:
6134 /* Got a frame that can't be reassembled yet.
6135 * Save it for later, and send SREJs to cover
6136 * the missing frames.
6138 skb_queue_tail(&chan->srej_q, skb);
6140 BT_DBG("Queued %p (queue len %d)", skb,
6141 skb_queue_len(&chan->srej_q));
6143 l2cap_pass_to_tx(chan, control);
6144 l2cap_send_srej(chan, control->txseq);
6146 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6147 /* This frame was requested with an SREJ, but
6148 * some expected retransmitted frames are
6149 * missing. Request retransmission of missing
6152 skb_queue_tail(&chan->srej_q, skb);
6154 BT_DBG("Queued %p (queue len %d)", skb,
6155 skb_queue_len(&chan->srej_q));
6157 l2cap_pass_to_tx(chan, control);
6158 l2cap_send_srej_list(chan, control->txseq);
6160 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6161 /* We've already queued this frame. Drop this copy. */
6162 l2cap_pass_to_tx(chan, control);
6164 case L2CAP_TXSEQ_DUPLICATE:
6165 /* Expecting a later sequence number, so this frame
6166 * was already received. Ignore it completely.
6169 case L2CAP_TXSEQ_INVALID_IGNORE:
6171 case L2CAP_TXSEQ_INVALID:
6173 l2cap_send_disconn_req(chan, ECONNRESET);
6177 case L2CAP_EV_RECV_RR:
6178 l2cap_pass_to_tx(chan, control);
6179 if (control->final) {
6180 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6182 if (!test_and_clear_bit(CONN_REJ_ACT,
6183 &chan->conn_state)) {
6185 l2cap_retransmit_all(chan, control);
6188 l2cap_ertm_send(chan);
6189 } else if (control->poll) {
6190 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6191 &chan->conn_state) &&
6192 chan->unacked_frames) {
6193 __set_retrans_timer(chan);
6196 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6197 l2cap_send_srej_tail(chan);
6199 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6200 &chan->conn_state) &&
6201 chan->unacked_frames)
6202 __set_retrans_timer(chan);
6204 l2cap_send_ack(chan);
6207 case L2CAP_EV_RECV_RNR:
6208 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6209 l2cap_pass_to_tx(chan, control);
6210 if (control->poll) {
6211 l2cap_send_srej_tail(chan);
6213 struct l2cap_ctrl rr_control;
6214 memset(&rr_control, 0, sizeof(rr_control));
6215 rr_control.sframe = 1;
6216 rr_control.super = L2CAP_SUPER_RR;
6217 rr_control.reqseq = chan->buffer_seq;
6218 l2cap_send_sframe(chan, &rr_control);
6222 case L2CAP_EV_RECV_REJ:
6223 l2cap_handle_rej(chan, control);
6225 case L2CAP_EV_RECV_SREJ:
6226 l2cap_handle_srej(chan, control);
6230 if (skb && !skb_in_use) {
6231 BT_DBG("Freeing %p", skb);
6238 static int l2cap_finish_move(struct l2cap_chan *chan)
6240 BT_DBG("chan %p", chan);
6242 chan->rx_state = L2CAP_RX_STATE_RECV;
6243 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6245 return l2cap_resegment(chan);
6248 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6249 struct l2cap_ctrl *control,
6250 struct sk_buff *skb, u8 event)
6254 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6260 l2cap_process_reqseq(chan, control->reqseq);
6262 if (!skb_queue_empty(&chan->tx_q))
6263 chan->tx_send_head = skb_peek(&chan->tx_q);
6265 chan->tx_send_head = NULL;
6267 /* Rewind next_tx_seq to the point expected
6270 chan->next_tx_seq = control->reqseq;
6271 chan->unacked_frames = 0;
6273 err = l2cap_finish_move(chan);
6277 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6278 l2cap_send_i_or_rr_or_rnr(chan);
6280 if (event == L2CAP_EV_RECV_IFRAME)
6283 return l2cap_rx_state_recv(chan, control, NULL, event);
6286 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6287 struct l2cap_ctrl *control,
6288 struct sk_buff *skb, u8 event)
6292 if (!control->final)
6295 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6297 chan->rx_state = L2CAP_RX_STATE_RECV;
6298 l2cap_process_reqseq(chan, control->reqseq);
6300 if (!skb_queue_empty(&chan->tx_q))
6301 chan->tx_send_head = skb_peek(&chan->tx_q);
6303 chan->tx_send_head = NULL;
6305 /* Rewind next_tx_seq to the point expected
6308 chan->next_tx_seq = control->reqseq;
6309 chan->unacked_frames = 0;
6310 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6312 err = l2cap_resegment(chan);
6315 err = l2cap_rx_state_recv(chan, control, skb, event);
6320 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6322 /* Make sure reqseq is for a packet that has been sent but not acked */
6325 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6326 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6329 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6330 struct sk_buff *skb, u8 event)
6334 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6335 control, skb, event, chan->rx_state);
6337 if (__valid_reqseq(chan, control->reqseq)) {
6338 switch (chan->rx_state) {
6339 case L2CAP_RX_STATE_RECV:
6340 err = l2cap_rx_state_recv(chan, control, skb, event);
6342 case L2CAP_RX_STATE_SREJ_SENT:
6343 err = l2cap_rx_state_srej_sent(chan, control, skb,
6346 case L2CAP_RX_STATE_WAIT_P:
6347 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6349 case L2CAP_RX_STATE_WAIT_F:
6350 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6357 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6358 control->reqseq, chan->next_tx_seq,
6359 chan->expected_ack_seq);
6360 l2cap_send_disconn_req(chan, ECONNRESET);
6366 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6367 struct sk_buff *skb)
6369 /* l2cap_reassemble_sdu may free skb, hence invalidate control, so store
6370 * the txseq field in advance to use it after l2cap_reassemble_sdu
6371 * returns and to avoid the race condition, for example:
6373 * The current thread calls:
6374 * l2cap_reassemble_sdu
6375 * chan->ops->recv == l2cap_sock_recv_cb
6376 * __sock_queue_rcv_skb
6377 * Another thread calls:
6381 * Then the current thread tries to access control, but it was freed by
6382 * skb_free_datagram.
6384 u16 txseq = control->txseq;
6386 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6389 if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) {
6390 l2cap_pass_to_tx(chan, control);
6392 BT_DBG("buffer_seq %u->%u", chan->buffer_seq,
6393 __next_seq(chan, chan->buffer_seq));
6395 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6397 l2cap_reassemble_sdu(chan, skb, control);
6400 kfree_skb(chan->sdu);
6403 chan->sdu_last_frag = NULL;
6407 BT_DBG("Freeing %p", skb);
6412 chan->last_acked_seq = txseq;
6413 chan->expected_tx_seq = __next_seq(chan, txseq);
6418 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6420 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6424 __unpack_control(chan, skb);
6429 * We can just drop the corrupted I-frame here.
6430 * Receiver will miss it and start proper recovery
6431 * procedures and ask for retransmission.
6433 if (l2cap_check_fcs(chan, skb))
6436 if (!control->sframe && control->sar == L2CAP_SAR_START)
6437 len -= L2CAP_SDULEN_SIZE;
6439 if (chan->fcs == L2CAP_FCS_CRC16)
6440 len -= L2CAP_FCS_SIZE;
6442 if (len > chan->mps) {
6443 l2cap_send_disconn_req(chan, ECONNRESET);
6447 if (chan->ops->filter) {
6448 if (chan->ops->filter(chan, skb))
6452 if (!control->sframe) {
6455 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6456 control->sar, control->reqseq, control->final,
6459 /* Validate F-bit - F=0 always valid, F=1 only
6460 * valid in TX WAIT_F
6462 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6465 if (chan->mode != L2CAP_MODE_STREAMING) {
6466 event = L2CAP_EV_RECV_IFRAME;
6467 err = l2cap_rx(chan, control, skb, event);
6469 err = l2cap_stream_rx(chan, control, skb);
6473 l2cap_send_disconn_req(chan, ECONNRESET);
6475 const u8 rx_func_to_event[4] = {
6476 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6477 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6480 /* Only I-frames are expected in streaming mode */
6481 if (chan->mode == L2CAP_MODE_STREAMING)
6484 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6485 control->reqseq, control->final, control->poll,
6489 BT_ERR("Trailing bytes: %d in sframe", len);
6490 l2cap_send_disconn_req(chan, ECONNRESET);
6494 /* Validate F and P bits */
6495 if (control->final && (control->poll ||
6496 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6499 event = rx_func_to_event[control->super];
6500 if (l2cap_rx(chan, control, skb, event))
6501 l2cap_send_disconn_req(chan, ECONNRESET);
6511 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6513 struct l2cap_conn *conn = chan->conn;
6514 struct l2cap_le_credits pkt;
6517 return_credits = (chan->imtu / chan->mps) + 1;
6519 if (chan->rx_credits >= return_credits)
6522 return_credits -= chan->rx_credits;
6524 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6526 chan->rx_credits += return_credits;
6528 pkt.cid = cpu_to_le16(chan->scid);
6529 pkt.credits = cpu_to_le16(return_credits);
6531 chan->ident = l2cap_get_ident(conn);
6533 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6536 static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb)
6540 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
6542 /* Wait recv to confirm reception before updating the credits */
6543 err = chan->ops->recv(chan, skb);
6545 /* Update credits whenever an SDU is received */
6546 l2cap_chan_le_send_credits(chan);
6551 static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6555 if (!chan->rx_credits) {
6556 BT_ERR("No credits to receive LE L2CAP data");
6557 l2cap_send_disconn_req(chan, ECONNRESET);
6561 if (chan->imtu < skb->len) {
6562 BT_ERR("Too big LE L2CAP PDU");
6567 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6569 /* Update if remote had run out of credits, this should only happens
6570 * if the remote is not using the entire MPS.
6572 if (!chan->rx_credits)
6573 l2cap_chan_le_send_credits(chan);
6580 sdu_len = get_unaligned_le16(skb->data);
6581 skb_pull(skb, L2CAP_SDULEN_SIZE);
6583 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6584 sdu_len, skb->len, chan->imtu);
6586 if (sdu_len > chan->imtu) {
6587 BT_ERR("Too big LE L2CAP SDU length received");
6592 if (skb->len > sdu_len) {
6593 BT_ERR("Too much LE L2CAP data received");
6598 if (skb->len == sdu_len)
6599 return l2cap_ecred_recv(chan, skb);
6602 chan->sdu_len = sdu_len;
6603 chan->sdu_last_frag = skb;
6605 /* Detect if remote is not able to use the selected MPS */
6606 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
6607 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
6609 /* Adjust the number of credits */
6610 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
6611 chan->mps = mps_len;
6612 l2cap_chan_le_send_credits(chan);
6618 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6619 chan->sdu->len, skb->len, chan->sdu_len);
6621 if (chan->sdu->len + skb->len > chan->sdu_len) {
6622 BT_ERR("Too much LE L2CAP data received");
6627 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6630 if (chan->sdu->len == chan->sdu_len) {
6631 err = l2cap_ecred_recv(chan, chan->sdu);
6634 chan->sdu_last_frag = NULL;
6642 kfree_skb(chan->sdu);
6644 chan->sdu_last_frag = NULL;
6648 /* We can't return an error here since we took care of the skb
6649 * freeing internally. An error return would cause the caller to
6650 * do a double-free of the skb.
6655 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6656 struct sk_buff *skb)
6658 struct l2cap_chan *chan;
6660 chan = l2cap_get_chan_by_scid(conn, cid);
6662 BT_DBG("unknown cid 0x%4.4x", cid);
6663 /* Drop packet and return */
6668 BT_DBG("chan %p, len %d", chan, skb->len);
6670 /* If we receive data on a fixed channel before the info req/rsp
6671 * procedure is done simply assume that the channel is supported
6672 * and mark it as ready.
6674 if (chan->chan_type == L2CAP_CHAN_FIXED)
6675 l2cap_chan_ready(chan);
6677 if (chan->state != BT_CONNECTED)
6680 switch (chan->mode) {
6681 case L2CAP_MODE_LE_FLOWCTL:
6682 case L2CAP_MODE_EXT_FLOWCTL:
6683 if (l2cap_ecred_data_rcv(chan, skb) < 0)
6688 case L2CAP_MODE_BASIC:
6689 /* If socket recv buffers overflows we drop data here
6690 * which is *bad* because L2CAP has to be reliable.
6691 * But we don't have any other choice. L2CAP doesn't
6692 * provide flow control mechanism. */
6694 if (chan->imtu < skb->len) {
6695 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6699 if (!chan->ops->recv(chan, skb))
6703 case L2CAP_MODE_ERTM:
6704 case L2CAP_MODE_STREAMING:
6705 l2cap_data_rcv(chan, skb);
6709 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6717 l2cap_chan_unlock(chan);
6718 l2cap_chan_put(chan);
6721 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6722 struct sk_buff *skb)
6724 struct hci_conn *hcon = conn->hcon;
6725 struct l2cap_chan *chan;
6727 if (hcon->type != ACL_LINK)
6730 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6735 BT_DBG("chan %p, len %d", chan, skb->len);
6737 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6740 if (chan->imtu < skb->len)
6743 /* Store remote BD_ADDR and PSM for msg_name */
6744 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6745 bt_cb(skb)->l2cap.psm = psm;
6747 if (!chan->ops->recv(chan, skb)) {
6748 l2cap_chan_put(chan);
6753 l2cap_chan_put(chan);
6758 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6760 struct l2cap_hdr *lh = (void *) skb->data;
6761 struct hci_conn *hcon = conn->hcon;
6765 if (hcon->state != BT_CONNECTED) {
6766 BT_DBG("queueing pending rx skb");
6767 skb_queue_tail(&conn->pending_rx, skb);
6771 skb_pull(skb, L2CAP_HDR_SIZE);
6772 cid = __le16_to_cpu(lh->cid);
6773 len = __le16_to_cpu(lh->len);
6775 if (len != skb->len) {
6780 /* Since we can't actively block incoming LE connections we must
6781 * at least ensure that we ignore incoming data from them.
6783 if (hcon->type == LE_LINK &&
6784 hci_bdaddr_list_lookup(&hcon->hdev->reject_list, &hcon->dst,
6785 bdaddr_dst_type(hcon))) {
6790 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6793 case L2CAP_CID_SIGNALING:
6794 l2cap_sig_channel(conn, skb);
6797 case L2CAP_CID_CONN_LESS:
6798 psm = get_unaligned((__le16 *) skb->data);
6799 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6800 l2cap_conless_channel(conn, psm, skb);
6803 case L2CAP_CID_LE_SIGNALING:
6804 l2cap_le_sig_channel(conn, skb);
6808 l2cap_data_channel(conn, cid, skb);
6813 static void process_pending_rx(struct work_struct *work)
6815 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6817 struct sk_buff *skb;
6821 while ((skb = skb_dequeue(&conn->pending_rx)))
6822 l2cap_recv_frame(conn, skb);
6825 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6827 struct l2cap_conn *conn = hcon->l2cap_data;
6828 struct hci_chan *hchan;
6833 hchan = hci_chan_create(hcon);
6837 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
6839 hci_chan_del(hchan);
6843 kref_init(&conn->ref);
6844 hcon->l2cap_data = conn;
6845 conn->hcon = hci_conn_get(hcon);
6846 conn->hchan = hchan;
6848 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6850 switch (hcon->type) {
6852 if (hcon->hdev->le_mtu) {
6853 conn->mtu = hcon->hdev->le_mtu;
6858 conn->mtu = hcon->hdev->acl_mtu;
6862 conn->feat_mask = 0;
6864 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
6866 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
6867 (bredr_sc_enabled(hcon->hdev) ||
6868 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
6869 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
6871 mutex_init(&conn->ident_lock);
6872 mutex_init(&conn->chan_lock);
6874 INIT_LIST_HEAD(&conn->chan_l);
6875 INIT_LIST_HEAD(&conn->users);
6877 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
6879 skb_queue_head_init(&conn->pending_rx);
6880 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
6881 INIT_DELAYED_WORK(&conn->id_addr_timer, l2cap_conn_update_id_addr);
6883 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6888 static bool is_valid_psm(u16 psm, u8 dst_type)
6893 if (bdaddr_type_is_le(dst_type))
6894 return (psm <= 0x00ff);
6896 /* PSM must be odd and lsb of upper byte must be 0 */
6897 return ((psm & 0x0101) == 0x0001);
6900 struct l2cap_chan_data {
6901 struct l2cap_chan *chan;
6906 static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data)
6908 struct l2cap_chan_data *d = data;
6911 if (chan == d->chan)
6914 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags))
6917 pid = chan->ops->get_peer_pid(chan);
6919 /* Only count deferred channels with the same PID/PSM */
6920 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident ||
6921 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
6927 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
6928 bdaddr_t *dst, u8 dst_type, u16 timeout)
6930 struct l2cap_conn *conn;
6931 struct hci_conn *hcon;
6932 struct hci_dev *hdev;
6935 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src,
6936 dst, dst_type, __le16_to_cpu(psm), chan->mode);
6938 hdev = hci_get_route(dst, &chan->src, chan->src_type);
6940 return -EHOSTUNREACH;
6944 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
6945 chan->chan_type != L2CAP_CHAN_RAW) {
6950 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
6955 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
6960 switch (chan->mode) {
6961 case L2CAP_MODE_BASIC:
6963 case L2CAP_MODE_LE_FLOWCTL:
6965 case L2CAP_MODE_EXT_FLOWCTL:
6966 if (!enable_ecred) {
6971 case L2CAP_MODE_ERTM:
6972 case L2CAP_MODE_STREAMING:
6981 switch (chan->state) {
6985 /* Already connecting */
6990 /* Already connected */
7004 /* Set destination address and psm */
7005 bacpy(&chan->dst, dst);
7006 chan->dst_type = dst_type;
7011 if (bdaddr_type_is_le(dst_type)) {
7012 /* Convert from L2CAP channel address type to HCI address type
7014 if (dst_type == BDADDR_LE_PUBLIC)
7015 dst_type = ADDR_LE_DEV_PUBLIC;
7017 dst_type = ADDR_LE_DEV_RANDOM;
7019 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7020 hcon = hci_connect_le(hdev, dst, dst_type, false,
7021 chan->sec_level, timeout,
7024 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7025 chan->sec_level, timeout,
7026 CONN_REASON_L2CAP_CHAN);
7029 u8 auth_type = l2cap_get_auth_type(chan);
7030 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type,
7031 CONN_REASON_L2CAP_CHAN, timeout);
7035 err = PTR_ERR(hcon);
7039 conn = l2cap_conn_add(hcon);
7041 hci_conn_drop(hcon);
7046 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
7047 struct l2cap_chan_data data;
7050 data.pid = chan->ops->get_peer_pid(chan);
7053 l2cap_chan_list(conn, l2cap_chan_by_pid, &data);
7055 /* Check if there isn't too many channels being connected */
7056 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) {
7057 hci_conn_drop(hcon);
7063 mutex_lock(&conn->chan_lock);
7064 l2cap_chan_lock(chan);
7066 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7067 hci_conn_drop(hcon);
7072 /* Update source addr of the socket */
7073 bacpy(&chan->src, &hcon->src);
7074 chan->src_type = bdaddr_src_type(hcon);
7076 __l2cap_chan_add(conn, chan);
7078 /* l2cap_chan_add takes its own ref so we can drop this one */
7079 hci_conn_drop(hcon);
7081 l2cap_state_change(chan, BT_CONNECT);
7082 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7084 /* Release chan->sport so that it can be reused by other
7085 * sockets (as it's only used for listening sockets).
7087 write_lock(&chan_list_lock);
7089 write_unlock(&chan_list_lock);
7091 if (hcon->state == BT_CONNECTED) {
7092 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7093 __clear_chan_timer(chan);
7094 if (l2cap_chan_check_security(chan, true))
7095 l2cap_state_change(chan, BT_CONNECTED);
7097 l2cap_do_start(chan);
7103 l2cap_chan_unlock(chan);
7104 mutex_unlock(&conn->chan_lock);
7106 hci_dev_unlock(hdev);
7110 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7112 static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
7114 struct l2cap_conn *conn = chan->conn;
7116 struct l2cap_ecred_reconf_req req;
7120 pdu.req.mtu = cpu_to_le16(chan->imtu);
7121 pdu.req.mps = cpu_to_le16(chan->mps);
7122 pdu.scid = cpu_to_le16(chan->scid);
7124 chan->ident = l2cap_get_ident(conn);
7126 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
7130 int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
7132 if (chan->imtu > mtu)
7135 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu);
7139 l2cap_ecred_reconfigure(chan);
7144 /* ---- L2CAP interface with lower layer (HCI) ---- */
7146 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7148 int exact = 0, lm1 = 0, lm2 = 0;
7149 struct l2cap_chan *c;
7151 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7153 /* Find listening sockets and check their link_mode */
7154 read_lock(&chan_list_lock);
7155 list_for_each_entry(c, &chan_list, global_l) {
7156 if (c->state != BT_LISTEN)
7159 if (!bacmp(&c->src, &hdev->bdaddr)) {
7160 lm1 |= HCI_LM_ACCEPT;
7161 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7162 lm1 |= HCI_LM_MASTER;
7164 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7165 lm2 |= HCI_LM_ACCEPT;
7166 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7167 lm2 |= HCI_LM_MASTER;
7170 read_unlock(&chan_list_lock);
7172 return exact ? lm1 : lm2;
7175 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7176 * from an existing channel in the list or from the beginning of the
7177 * global list (by passing NULL as first parameter).
7179 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7180 struct hci_conn *hcon)
7182 u8 src_type = bdaddr_src_type(hcon);
7184 read_lock(&chan_list_lock);
7187 c = list_next_entry(c, global_l);
7189 c = list_entry(chan_list.next, typeof(*c), global_l);
7191 list_for_each_entry_from(c, &chan_list, global_l) {
7192 if (c->chan_type != L2CAP_CHAN_FIXED)
7194 if (c->state != BT_LISTEN)
7196 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7198 if (src_type != c->src_type)
7201 c = l2cap_chan_hold_unless_zero(c);
7202 read_unlock(&chan_list_lock);
7206 read_unlock(&chan_list_lock);
7211 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7213 struct hci_dev *hdev = hcon->hdev;
7214 struct l2cap_conn *conn;
7215 struct l2cap_chan *pchan;
7218 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7221 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7224 l2cap_conn_del(hcon, bt_to_errno(status));
7228 conn = l2cap_conn_add(hcon);
7232 dst_type = bdaddr_dst_type(hcon);
7234 /* If device is blocked, do not create channels for it */
7235 if (hci_bdaddr_list_lookup(&hdev->reject_list, &hcon->dst, dst_type))
7238 /* Find fixed channels and notify them of the new connection. We
7239 * use multiple individual lookups, continuing each time where
7240 * we left off, because the list lock would prevent calling the
7241 * potentially sleeping l2cap_chan_lock() function.
7243 pchan = l2cap_global_fixed_chan(NULL, hcon);
7245 struct l2cap_chan *chan, *next;
7247 /* Client fixed channels should override server ones */
7248 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7251 l2cap_chan_lock(pchan);
7252 chan = pchan->ops->new_connection(pchan);
7254 bacpy(&chan->src, &hcon->src);
7255 bacpy(&chan->dst, &hcon->dst);
7256 chan->src_type = bdaddr_src_type(hcon);
7257 chan->dst_type = dst_type;
7259 __l2cap_chan_add(conn, chan);
7262 l2cap_chan_unlock(pchan);
7264 next = l2cap_global_fixed_chan(pchan, hcon);
7265 l2cap_chan_put(pchan);
7269 l2cap_conn_ready(conn);
7272 int l2cap_disconn_ind(struct hci_conn *hcon)
7274 struct l2cap_conn *conn = hcon->l2cap_data;
7276 BT_DBG("hcon %p", hcon);
7279 return HCI_ERROR_REMOTE_USER_TERM;
7280 return conn->disc_reason;
7283 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7285 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7288 BT_DBG("hcon %p reason %d", hcon, reason);
7290 l2cap_conn_del(hcon, bt_to_errno(reason));
7293 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7295 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7298 if (encrypt == 0x00) {
7299 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7300 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7301 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7302 chan->sec_level == BT_SECURITY_FIPS)
7303 l2cap_chan_close(chan, ECONNREFUSED);
7305 if (chan->sec_level == BT_SECURITY_MEDIUM)
7306 __clear_chan_timer(chan);
7310 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7312 struct l2cap_conn *conn = hcon->l2cap_data;
7313 struct l2cap_chan *chan;
7318 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7320 mutex_lock(&conn->chan_lock);
7322 list_for_each_entry(chan, &conn->chan_l, list) {
7323 l2cap_chan_lock(chan);
7325 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7326 state_to_string(chan->state));
7328 if (!status && encrypt)
7329 chan->sec_level = hcon->sec_level;
7331 if (!__l2cap_no_conn_pending(chan)) {
7332 l2cap_chan_unlock(chan);
7336 if (!status && (chan->state == BT_CONNECTED ||
7337 chan->state == BT_CONFIG)) {
7338 chan->ops->resume(chan);
7339 l2cap_check_encryption(chan, encrypt);
7340 l2cap_chan_unlock(chan);
7344 if (chan->state == BT_CONNECT) {
7345 if (!status && l2cap_check_enc_key_size(hcon))
7346 l2cap_start_connection(chan);
7348 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7349 } else if (chan->state == BT_CONNECT2 &&
7350 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL ||
7351 chan->mode == L2CAP_MODE_LE_FLOWCTL)) {
7352 struct l2cap_conn_rsp rsp;
7355 if (!status && l2cap_check_enc_key_size(hcon)) {
7356 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7357 res = L2CAP_CR_PEND;
7358 stat = L2CAP_CS_AUTHOR_PEND;
7359 chan->ops->defer(chan);
7361 l2cap_state_change(chan, BT_CONFIG);
7362 res = L2CAP_CR_SUCCESS;
7363 stat = L2CAP_CS_NO_INFO;
7366 l2cap_state_change(chan, BT_DISCONN);
7367 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7368 res = L2CAP_CR_SEC_BLOCK;
7369 stat = L2CAP_CS_NO_INFO;
7372 rsp.scid = cpu_to_le16(chan->dcid);
7373 rsp.dcid = cpu_to_le16(chan->scid);
7374 rsp.result = cpu_to_le16(res);
7375 rsp.status = cpu_to_le16(stat);
7376 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7379 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7380 res == L2CAP_CR_SUCCESS) {
7382 set_bit(CONF_REQ_SENT, &chan->conf_state);
7383 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7385 l2cap_build_conf_req(chan, buf, sizeof(buf)),
7387 chan->num_conf_req++;
7391 l2cap_chan_unlock(chan);
7394 mutex_unlock(&conn->chan_lock);
7397 /* Append fragment into frame respecting the maximum len of rx_skb */
7398 static int l2cap_recv_frag(struct l2cap_conn *conn, struct sk_buff *skb,
7401 if (!conn->rx_skb) {
7402 /* Allocate skb for the complete frame (with header) */
7403 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7410 /* Copy as much as the rx_skb can hold */
7411 len = min_t(u16, len, skb->len);
7412 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, len), len);
7414 conn->rx_len -= len;
7419 static int l2cap_recv_len(struct l2cap_conn *conn, struct sk_buff *skb)
7421 struct sk_buff *rx_skb;
7424 /* Append just enough to complete the header */
7425 len = l2cap_recv_frag(conn, skb, L2CAP_LEN_SIZE - conn->rx_skb->len);
7427 /* If header could not be read just continue */
7428 if (len < 0 || conn->rx_skb->len < L2CAP_LEN_SIZE)
7431 rx_skb = conn->rx_skb;
7432 len = get_unaligned_le16(rx_skb->data);
7434 /* Check if rx_skb has enough space to received all fragments */
7435 if (len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE) <= skb_tailroom(rx_skb)) {
7436 /* Update expected len */
7437 conn->rx_len = len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE);
7438 return L2CAP_LEN_SIZE;
7441 /* Reset conn->rx_skb since it will need to be reallocated in order to
7442 * fit all fragments.
7444 conn->rx_skb = NULL;
7446 /* Reallocates rx_skb using the exact expected length */
7447 len = l2cap_recv_frag(conn, rx_skb,
7448 len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE));
7454 static void l2cap_recv_reset(struct l2cap_conn *conn)
7456 kfree_skb(conn->rx_skb);
7457 conn->rx_skb = NULL;
7461 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7463 struct l2cap_conn *conn = hcon->l2cap_data;
7466 /* For AMP controller do not create l2cap conn */
7467 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
7471 conn = l2cap_conn_add(hcon);
7476 BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags);
7480 case ACL_START_NO_FLUSH:
7483 BT_ERR("Unexpected start frame (len %d)", skb->len);
7484 l2cap_recv_reset(conn);
7485 l2cap_conn_unreliable(conn, ECOMM);
7488 /* Start fragment may not contain the L2CAP length so just
7489 * copy the initial byte when that happens and use conn->mtu as
7492 if (skb->len < L2CAP_LEN_SIZE) {
7493 l2cap_recv_frag(conn, skb, conn->mtu);
7497 len = get_unaligned_le16(skb->data) + L2CAP_HDR_SIZE;
7499 if (len == skb->len) {
7500 /* Complete frame received */
7501 l2cap_recv_frame(conn, skb);
7505 BT_DBG("Start: total len %d, frag len %u", len, skb->len);
7507 if (skb->len > len) {
7508 BT_ERR("Frame is too long (len %u, expected len %d)",
7510 l2cap_conn_unreliable(conn, ECOMM);
7514 /* Append fragment into frame (with header) */
7515 if (l2cap_recv_frag(conn, skb, len) < 0)
7521 BT_DBG("Cont: frag len %u (expecting %u)", skb->len, conn->rx_len);
7523 if (!conn->rx_skb) {
7524 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7525 l2cap_conn_unreliable(conn, ECOMM);
7529 /* Complete the L2CAP length if it has not been read */
7530 if (conn->rx_skb->len < L2CAP_LEN_SIZE) {
7531 if (l2cap_recv_len(conn, skb) < 0) {
7532 l2cap_conn_unreliable(conn, ECOMM);
7536 /* Header still could not be read just continue */
7537 if (conn->rx_skb->len < L2CAP_LEN_SIZE)
7541 if (skb->len > conn->rx_len) {
7542 BT_ERR("Fragment is too long (len %u, expected %u)",
7543 skb->len, conn->rx_len);
7544 l2cap_recv_reset(conn);
7545 l2cap_conn_unreliable(conn, ECOMM);
7549 /* Append fragment into frame (with header) */
7550 l2cap_recv_frag(conn, skb, skb->len);
7552 if (!conn->rx_len) {
7553 /* Complete frame received. l2cap_recv_frame
7554 * takes ownership of the skb so set the global
7555 * rx_skb pointer to NULL first.
7557 struct sk_buff *rx_skb = conn->rx_skb;
7558 conn->rx_skb = NULL;
7559 l2cap_recv_frame(conn, rx_skb);
7568 static struct hci_cb l2cap_cb = {
7570 .connect_cfm = l2cap_connect_cfm,
7571 .disconn_cfm = l2cap_disconn_cfm,
7572 .security_cfm = l2cap_security_cfm,
7575 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7577 struct l2cap_chan *c;
7579 read_lock(&chan_list_lock);
7581 list_for_each_entry(c, &chan_list, global_l) {
7582 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7583 &c->src, c->src_type, &c->dst, c->dst_type,
7584 c->state, __le16_to_cpu(c->psm),
7585 c->scid, c->dcid, c->imtu, c->omtu,
7586 c->sec_level, c->mode);
7589 read_unlock(&chan_list_lock);
7594 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
7596 static struct dentry *l2cap_debugfs;
7598 int __init l2cap_init(void)
7602 err = l2cap_init_sockets();
7606 hci_register_cb(&l2cap_cb);
7608 if (IS_ERR_OR_NULL(bt_debugfs))
7611 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7612 NULL, &l2cap_debugfs_fops);
7617 void l2cap_exit(void)
7619 debugfs_remove(l2cap_debugfs);
7620 hci_unregister_cb(&l2cap_cb);
7621 l2cap_cleanup_sockets();
7624 module_param(disable_ertm, bool, 0644);
7625 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
7627 module_param(enable_ecred, bool, 0644);
7628 MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode");
projects / linux.git / blob