2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
28 /* Bluetooth L2CAP core. */
30 #include <linux/module.h>
32 #include <linux/types.h>
33 #include <linux/capability.h>
34 #include <linux/errno.h>
35 #include <linux/kernel.h>
36 #include <linux/sched.h>
37 #include <linux/slab.h>
38 #include <linux/poll.h>
39 #include <linux/fcntl.h>
40 #include <linux/init.h>
41 #include <linux/interrupt.h>
42 #include <linux/socket.h>
43 #include <linux/skbuff.h>
44 #include <linux/list.h>
45 #include <linux/device.h>
46 #include <linux/debugfs.h>
47 #include <linux/seq_file.h>
48 #include <linux/uaccess.h>
49 #include <linux/crc16.h>
52 #include <asm/system.h>
53 #include <asm/unaligned.h>
55 #include <net/bluetooth/bluetooth.h>
56 #include <net/bluetooth/hci_core.h>
57 #include <net/bluetooth/l2cap.h>
58 #include <net/bluetooth/smp.h>
62 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
63 static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
65 static LIST_HEAD(chan_list);
66 static DEFINE_RWLOCK(chan_list_lock);
68 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
70 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
72 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
73 static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
76 static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb);
78 /* ---- L2CAP channels ---- */
80 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
82 struct l2cap_chan *c, *r = NULL;
86 list_for_each_entry_rcu(c, &conn->chan_l, list) {
97 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
99 struct l2cap_chan *c, *r = NULL;
103 list_for_each_entry_rcu(c, &conn->chan_l, list) {
104 if (c->scid == cid) {
114 /* Find channel with given SCID.
115 * Returns locked socket */
116 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
118 struct l2cap_chan *c;
120 c = __l2cap_get_chan_by_scid(conn, cid);
126 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
128 struct l2cap_chan *c, *r = NULL;
132 list_for_each_entry_rcu(c, &conn->chan_l, list) {
133 if (c->ident == ident) {
143 static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
145 struct l2cap_chan *c;
147 c = __l2cap_get_chan_by_ident(conn, ident);
153 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
155 struct l2cap_chan *c;
157 list_for_each_entry(c, &chan_list, global_l) {
158 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
164 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
168 write_lock(&chan_list_lock);
170 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
183 for (p = 0x1001; p < 0x1100; p += 2)
184 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
185 chan->psm = cpu_to_le16(p);
186 chan->sport = cpu_to_le16(p);
193 write_unlock(&chan_list_lock);
197 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
199 write_lock(&chan_list_lock);
203 write_unlock(&chan_list_lock);
208 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
210 u16 cid = L2CAP_CID_DYN_START;
212 for (; cid < L2CAP_CID_DYN_END; cid++) {
213 if (!__l2cap_get_chan_by_scid(conn, cid))
220 static char *state_to_string(int state)
224 return "BT_CONNECTED";
234 return "BT_CONNECT2";
243 return "invalid state";
246 static void l2cap_state_change(struct l2cap_chan *chan, int state)
248 BT_DBG("%p %s -> %s", chan, state_to_string(chan->state),
249 state_to_string(state));
252 chan->ops->state_change(chan->data, state);
255 static void l2cap_chan_timeout(struct work_struct *work)
257 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
259 struct sock *sk = chan->sk;
262 BT_DBG("chan %p state %d", chan, chan->state);
266 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
267 reason = ECONNREFUSED;
268 else if (chan->state == BT_CONNECT &&
269 chan->sec_level != BT_SECURITY_SDP)
270 reason = ECONNREFUSED;
274 l2cap_chan_close(chan, reason);
278 chan->ops->close(chan->data);
279 l2cap_chan_put(chan);
282 struct l2cap_chan *l2cap_chan_create(struct sock *sk)
284 struct l2cap_chan *chan;
286 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
292 write_lock(&chan_list_lock);
293 list_add(&chan->global_l, &chan_list);
294 write_unlock(&chan_list_lock);
296 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
298 chan->state = BT_OPEN;
300 atomic_set(&chan->refcnt, 1);
302 BT_DBG("sk %p chan %p", sk, chan);
307 void l2cap_chan_destroy(struct l2cap_chan *chan)
309 write_lock(&chan_list_lock);
310 list_del(&chan->global_l);
311 write_unlock(&chan_list_lock);
313 l2cap_chan_put(chan);
316 static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
318 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
319 chan->psm, chan->dcid);
321 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
325 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
326 if (conn->hcon->type == LE_LINK) {
328 chan->omtu = L2CAP_LE_DEFAULT_MTU;
329 chan->scid = L2CAP_CID_LE_DATA;
330 chan->dcid = L2CAP_CID_LE_DATA;
332 /* Alloc CID for connection-oriented socket */
333 chan->scid = l2cap_alloc_cid(conn);
334 chan->omtu = L2CAP_DEFAULT_MTU;
336 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
337 /* Connectionless socket */
338 chan->scid = L2CAP_CID_CONN_LESS;
339 chan->dcid = L2CAP_CID_CONN_LESS;
340 chan->omtu = L2CAP_DEFAULT_MTU;
342 /* Raw socket can send/recv signalling messages only */
343 chan->scid = L2CAP_CID_SIGNALING;
344 chan->dcid = L2CAP_CID_SIGNALING;
345 chan->omtu = L2CAP_DEFAULT_MTU;
348 chan->local_id = L2CAP_BESTEFFORT_ID;
349 chan->local_stype = L2CAP_SERV_BESTEFFORT;
350 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
351 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
352 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
353 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
355 l2cap_chan_hold(chan);
357 list_add_rcu(&chan->list, &conn->chan_l);
361 * Must be called on the locked socket. */
362 static void l2cap_chan_del(struct l2cap_chan *chan, int err)
364 struct sock *sk = chan->sk;
365 struct l2cap_conn *conn = chan->conn;
366 struct sock *parent = bt_sk(sk)->parent;
368 __clear_chan_timer(chan);
370 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
373 /* Delete from channel list */
374 list_del_rcu(&chan->list);
377 l2cap_chan_put(chan);
380 hci_conn_put(conn->hcon);
383 l2cap_state_change(chan, BT_CLOSED);
384 sock_set_flag(sk, SOCK_ZAPPED);
390 bt_accept_unlink(sk);
391 parent->sk_data_ready(parent, 0);
393 sk->sk_state_change(sk);
395 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
396 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
399 skb_queue_purge(&chan->tx_q);
401 if (chan->mode == L2CAP_MODE_ERTM) {
402 struct srej_list *l, *tmp;
404 __clear_retrans_timer(chan);
405 __clear_monitor_timer(chan);
406 __clear_ack_timer(chan);
408 skb_queue_purge(&chan->srej_q);
410 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
417 static void l2cap_chan_cleanup_listen(struct sock *parent)
421 BT_DBG("parent %p", parent);
423 /* Close not yet accepted channels */
424 while ((sk = bt_accept_dequeue(parent, NULL))) {
425 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
426 __clear_chan_timer(chan);
428 l2cap_chan_close(chan, ECONNRESET);
430 chan->ops->close(chan->data);
434 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
436 struct l2cap_conn *conn = chan->conn;
437 struct sock *sk = chan->sk;
439 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
441 switch (chan->state) {
443 l2cap_chan_cleanup_listen(sk);
445 l2cap_state_change(chan, BT_CLOSED);
446 sock_set_flag(sk, SOCK_ZAPPED);
451 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
452 conn->hcon->type == ACL_LINK) {
453 __clear_chan_timer(chan);
454 __set_chan_timer(chan, sk->sk_sndtimeo);
455 l2cap_send_disconn_req(conn, chan, reason);
457 l2cap_chan_del(chan, reason);
461 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
462 conn->hcon->type == ACL_LINK) {
463 struct l2cap_conn_rsp rsp;
466 if (bt_sk(sk)->defer_setup)
467 result = L2CAP_CR_SEC_BLOCK;
469 result = L2CAP_CR_BAD_PSM;
470 l2cap_state_change(chan, BT_DISCONN);
472 rsp.scid = cpu_to_le16(chan->dcid);
473 rsp.dcid = cpu_to_le16(chan->scid);
474 rsp.result = cpu_to_le16(result);
475 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
476 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
480 l2cap_chan_del(chan, reason);
485 l2cap_chan_del(chan, reason);
489 sock_set_flag(sk, SOCK_ZAPPED);
494 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
496 if (chan->chan_type == L2CAP_CHAN_RAW) {
497 switch (chan->sec_level) {
498 case BT_SECURITY_HIGH:
499 return HCI_AT_DEDICATED_BONDING_MITM;
500 case BT_SECURITY_MEDIUM:
501 return HCI_AT_DEDICATED_BONDING;
503 return HCI_AT_NO_BONDING;
505 } else if (chan->psm == cpu_to_le16(0x0001)) {
506 if (chan->sec_level == BT_SECURITY_LOW)
507 chan->sec_level = BT_SECURITY_SDP;
509 if (chan->sec_level == BT_SECURITY_HIGH)
510 return HCI_AT_NO_BONDING_MITM;
512 return HCI_AT_NO_BONDING;
514 switch (chan->sec_level) {
515 case BT_SECURITY_HIGH:
516 return HCI_AT_GENERAL_BONDING_MITM;
517 case BT_SECURITY_MEDIUM:
518 return HCI_AT_GENERAL_BONDING;
520 return HCI_AT_NO_BONDING;
525 /* Service level security */
526 int l2cap_chan_check_security(struct l2cap_chan *chan)
528 struct l2cap_conn *conn = chan->conn;
531 auth_type = l2cap_get_auth_type(chan);
533 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
536 static u8 l2cap_get_ident(struct l2cap_conn *conn)
540 /* Get next available identificator.
541 * 1 - 128 are used by kernel.
542 * 129 - 199 are reserved.
543 * 200 - 254 are used by utilities like l2ping, etc.
546 spin_lock(&conn->lock);
548 if (++conn->tx_ident > 128)
553 spin_unlock(&conn->lock);
558 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
560 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
563 BT_DBG("code 0x%2.2x", code);
568 if (lmp_no_flush_capable(conn->hcon->hdev))
569 flags = ACL_START_NO_FLUSH;
573 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
574 skb->priority = HCI_PRIO_MAX;
576 hci_send_acl(conn->hchan, skb, flags);
579 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
581 struct hci_conn *hcon = chan->conn->hcon;
584 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
587 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
588 lmp_no_flush_capable(hcon->hdev))
589 flags = ACL_START_NO_FLUSH;
593 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
594 hci_send_acl(chan->conn->hchan, skb, flags);
597 static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
600 struct l2cap_hdr *lh;
601 struct l2cap_conn *conn = chan->conn;
604 if (chan->state != BT_CONNECTED)
607 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
608 hlen = L2CAP_EXT_HDR_SIZE;
610 hlen = L2CAP_ENH_HDR_SIZE;
612 if (chan->fcs == L2CAP_FCS_CRC16)
613 hlen += L2CAP_FCS_SIZE;
615 BT_DBG("chan %p, control 0x%8.8x", chan, control);
617 count = min_t(unsigned int, conn->mtu, hlen);
619 control |= __set_sframe(chan);
621 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
622 control |= __set_ctrl_final(chan);
624 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
625 control |= __set_ctrl_poll(chan);
627 skb = bt_skb_alloc(count, GFP_ATOMIC);
631 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
632 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
633 lh->cid = cpu_to_le16(chan->dcid);
635 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
637 if (chan->fcs == L2CAP_FCS_CRC16) {
638 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
639 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
642 skb->priority = HCI_PRIO_MAX;
643 l2cap_do_send(chan, skb);
646 static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
648 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
649 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
650 set_bit(CONN_RNR_SENT, &chan->conn_state);
652 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
654 control |= __set_reqseq(chan, chan->buffer_seq);
656 l2cap_send_sframe(chan, control);
659 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
661 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
664 static void l2cap_do_start(struct l2cap_chan *chan)
666 struct l2cap_conn *conn = chan->conn;
668 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
669 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
672 if (l2cap_chan_check_security(chan) &&
673 __l2cap_no_conn_pending(chan)) {
674 struct l2cap_conn_req req;
675 req.scid = cpu_to_le16(chan->scid);
678 chan->ident = l2cap_get_ident(conn);
679 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
681 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
685 struct l2cap_info_req req;
686 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
688 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
689 conn->info_ident = l2cap_get_ident(conn);
691 schedule_delayed_work(&conn->info_timer,
692 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
694 l2cap_send_cmd(conn, conn->info_ident,
695 L2CAP_INFO_REQ, sizeof(req), &req);
699 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
701 u32 local_feat_mask = l2cap_feat_mask;
703 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
706 case L2CAP_MODE_ERTM:
707 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
708 case L2CAP_MODE_STREAMING:
709 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
715 static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
718 struct l2cap_disconn_req req;
725 if (chan->mode == L2CAP_MODE_ERTM) {
726 __clear_retrans_timer(chan);
727 __clear_monitor_timer(chan);
728 __clear_ack_timer(chan);
731 req.dcid = cpu_to_le16(chan->dcid);
732 req.scid = cpu_to_le16(chan->scid);
733 l2cap_send_cmd(conn, l2cap_get_ident(conn),
734 L2CAP_DISCONN_REQ, sizeof(req), &req);
736 l2cap_state_change(chan, BT_DISCONN);
740 /* ---- L2CAP connections ---- */
741 static void l2cap_conn_start(struct l2cap_conn *conn)
743 struct l2cap_chan *chan;
745 BT_DBG("conn %p", conn);
749 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
750 struct sock *sk = chan->sk;
754 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
759 if (chan->state == BT_CONNECT) {
760 struct l2cap_conn_req req;
762 if (!l2cap_chan_check_security(chan) ||
763 !__l2cap_no_conn_pending(chan)) {
768 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
769 && test_bit(CONF_STATE2_DEVICE,
770 &chan->conf_state)) {
771 /* l2cap_chan_close() calls list_del(chan)
772 * so release the lock */
773 l2cap_chan_close(chan, ECONNRESET);
778 req.scid = cpu_to_le16(chan->scid);
781 chan->ident = l2cap_get_ident(conn);
782 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
784 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
787 } else if (chan->state == BT_CONNECT2) {
788 struct l2cap_conn_rsp rsp;
790 rsp.scid = cpu_to_le16(chan->dcid);
791 rsp.dcid = cpu_to_le16(chan->scid);
793 if (l2cap_chan_check_security(chan)) {
794 if (bt_sk(sk)->defer_setup) {
795 struct sock *parent = bt_sk(sk)->parent;
796 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
797 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
799 parent->sk_data_ready(parent, 0);
802 l2cap_state_change(chan, BT_CONFIG);
803 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
804 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
807 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
808 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
811 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
814 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
815 rsp.result != L2CAP_CR_SUCCESS) {
820 set_bit(CONF_REQ_SENT, &chan->conf_state);
821 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
822 l2cap_build_conf_req(chan, buf), buf);
823 chan->num_conf_req++;
832 /* Find socket with cid and source bdaddr.
833 * Returns closest match, locked.
835 static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
837 struct l2cap_chan *c, *c1 = NULL;
839 read_lock(&chan_list_lock);
841 list_for_each_entry(c, &chan_list, global_l) {
842 struct sock *sk = c->sk;
844 if (state && c->state != state)
847 if (c->scid == cid) {
849 if (!bacmp(&bt_sk(sk)->src, src)) {
850 read_unlock(&chan_list_lock);
855 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
860 read_unlock(&chan_list_lock);
865 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
867 struct sock *parent, *sk;
868 struct l2cap_chan *chan, *pchan;
872 /* Check if we have socket listening on cid */
873 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
882 /* Check for backlog size */
883 if (sk_acceptq_is_full(parent)) {
884 BT_DBG("backlog full %d", parent->sk_ack_backlog);
888 chan = pchan->ops->new_connection(pchan->data);
894 hci_conn_hold(conn->hcon);
896 bacpy(&bt_sk(sk)->src, conn->src);
897 bacpy(&bt_sk(sk)->dst, conn->dst);
899 bt_accept_enqueue(parent, sk);
901 l2cap_chan_add(conn, chan);
903 __set_chan_timer(chan, sk->sk_sndtimeo);
905 l2cap_state_change(chan, BT_CONNECTED);
906 parent->sk_data_ready(parent, 0);
909 release_sock(parent);
912 static void l2cap_chan_ready(struct sock *sk)
914 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
915 struct sock *parent = bt_sk(sk)->parent;
917 BT_DBG("sk %p, parent %p", sk, parent);
919 chan->conf_state = 0;
920 __clear_chan_timer(chan);
922 l2cap_state_change(chan, BT_CONNECTED);
923 sk->sk_state_change(sk);
926 parent->sk_data_ready(parent, 0);
929 static void l2cap_conn_ready(struct l2cap_conn *conn)
931 struct l2cap_chan *chan;
933 BT_DBG("conn %p", conn);
935 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
936 l2cap_le_conn_ready(conn);
938 if (conn->hcon->out && conn->hcon->type == LE_LINK)
939 smp_conn_security(conn, conn->hcon->pending_sec_level);
943 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
944 struct sock *sk = chan->sk;
948 if (conn->hcon->type == LE_LINK) {
949 if (smp_conn_security(conn, chan->sec_level))
950 l2cap_chan_ready(sk);
952 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
953 __clear_chan_timer(chan);
954 l2cap_state_change(chan, BT_CONNECTED);
955 sk->sk_state_change(sk);
957 } else if (chan->state == BT_CONNECT)
958 l2cap_do_start(chan);
966 /* Notify sockets that we cannot guaranty reliability anymore */
967 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
969 struct l2cap_chan *chan;
971 BT_DBG("conn %p", conn);
975 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
976 struct sock *sk = chan->sk;
978 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
985 static void l2cap_info_timeout(struct work_struct *work)
987 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
990 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
991 conn->info_ident = 0;
993 l2cap_conn_start(conn);
996 static void l2cap_conn_del(struct hci_conn *hcon, int err)
998 struct l2cap_conn *conn = hcon->l2cap_data;
999 struct l2cap_chan *chan, *l;
1005 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1007 kfree_skb(conn->rx_skb);
1010 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1013 l2cap_chan_del(chan, err);
1015 chan->ops->close(chan->data);
1018 hci_chan_del(conn->hchan);
1020 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1021 __cancel_delayed_work(&conn->info_timer);
1023 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1024 __cancel_delayed_work(&conn->security_timer);
1025 smp_chan_destroy(conn);
1028 hcon->l2cap_data = NULL;
1032 static void security_timeout(struct work_struct *work)
1034 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1035 security_timer.work);
1037 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1040 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1042 struct l2cap_conn *conn = hcon->l2cap_data;
1043 struct hci_chan *hchan;
1048 hchan = hci_chan_create(hcon);
1052 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1054 hci_chan_del(hchan);
1058 hcon->l2cap_data = conn;
1060 conn->hchan = hchan;
1062 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
1064 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1065 conn->mtu = hcon->hdev->le_mtu;
1067 conn->mtu = hcon->hdev->acl_mtu;
1069 conn->src = &hcon->hdev->bdaddr;
1070 conn->dst = &hcon->dst;
1072 conn->feat_mask = 0;
1074 spin_lock_init(&conn->lock);
1076 INIT_LIST_HEAD(&conn->chan_l);
1078 if (hcon->type == LE_LINK)
1079 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1081 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
1083 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1088 /* ---- Socket interface ---- */
1090 /* Find socket with psm and source bdaddr.
1091 * Returns closest match.
1093 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1095 struct l2cap_chan *c, *c1 = NULL;
1097 read_lock(&chan_list_lock);
1099 list_for_each_entry(c, &chan_list, global_l) {
1100 struct sock *sk = c->sk;
1102 if (state && c->state != state)
1105 if (c->psm == psm) {
1107 if (!bacmp(&bt_sk(sk)->src, src)) {
1108 read_unlock(&chan_list_lock);
1113 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
1118 read_unlock(&chan_list_lock);
1123 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, bdaddr_t *dst)
1125 struct sock *sk = chan->sk;
1126 bdaddr_t *src = &bt_sk(sk)->src;
1127 struct l2cap_conn *conn;
1128 struct hci_conn *hcon;
1129 struct hci_dev *hdev;
1133 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
1136 hdev = hci_get_route(dst, src);
1138 return -EHOSTUNREACH;
1144 /* PSM must be odd and lsb of upper byte must be 0 */
1145 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1146 chan->chan_type != L2CAP_CHAN_RAW) {
1151 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1156 switch (chan->mode) {
1157 case L2CAP_MODE_BASIC:
1159 case L2CAP_MODE_ERTM:
1160 case L2CAP_MODE_STREAMING:
1169 switch (sk->sk_state) {
1173 /* Already connecting */
1178 /* Already connected */
1192 /* Set destination address and psm */
1193 bacpy(&bt_sk(sk)->dst, dst);
1197 auth_type = l2cap_get_auth_type(chan);
1199 if (chan->dcid == L2CAP_CID_LE_DATA)
1200 hcon = hci_connect(hdev, LE_LINK, dst,
1201 chan->sec_level, auth_type);
1203 hcon = hci_connect(hdev, ACL_LINK, dst,
1204 chan->sec_level, auth_type);
1207 err = PTR_ERR(hcon);
1211 conn = l2cap_conn_add(hcon, 0);
1218 /* Update source addr of the socket */
1219 bacpy(src, conn->src);
1221 l2cap_chan_add(conn, chan);
1223 l2cap_state_change(chan, BT_CONNECT);
1224 __set_chan_timer(chan, sk->sk_sndtimeo);
1226 if (hcon->state == BT_CONNECTED) {
1227 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1228 __clear_chan_timer(chan);
1229 if (l2cap_chan_check_security(chan))
1230 l2cap_state_change(chan, BT_CONNECTED);
1232 l2cap_do_start(chan);
1238 hci_dev_unlock(hdev);
1243 int __l2cap_wait_ack(struct sock *sk)
1245 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1246 DECLARE_WAITQUEUE(wait, current);
1250 add_wait_queue(sk_sleep(sk), &wait);
1251 set_current_state(TASK_INTERRUPTIBLE);
1252 while (chan->unacked_frames > 0 && chan->conn) {
1256 if (signal_pending(current)) {
1257 err = sock_intr_errno(timeo);
1262 timeo = schedule_timeout(timeo);
1264 set_current_state(TASK_INTERRUPTIBLE);
1266 err = sock_error(sk);
1270 set_current_state(TASK_RUNNING);
1271 remove_wait_queue(sk_sleep(sk), &wait);
1275 static void l2cap_monitor_timeout(struct work_struct *work)
1277 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1278 monitor_timer.work);
1279 struct sock *sk = chan->sk;
1281 BT_DBG("chan %p", chan);
1284 if (chan->retry_count >= chan->remote_max_tx) {
1285 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1290 chan->retry_count++;
1291 __set_monitor_timer(chan);
1293 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1297 static void l2cap_retrans_timeout(struct work_struct *work)
1299 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1300 retrans_timer.work);
1301 struct sock *sk = chan->sk;
1303 BT_DBG("chan %p", chan);
1306 chan->retry_count = 1;
1307 __set_monitor_timer(chan);
1309 set_bit(CONN_WAIT_F, &chan->conn_state);
1311 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1315 static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1317 struct sk_buff *skb;
1319 while ((skb = skb_peek(&chan->tx_q)) &&
1320 chan->unacked_frames) {
1321 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1324 skb = skb_dequeue(&chan->tx_q);
1327 chan->unacked_frames--;
1330 if (!chan->unacked_frames)
1331 __clear_retrans_timer(chan);
1334 static void l2cap_streaming_send(struct l2cap_chan *chan)
1336 struct sk_buff *skb;
1340 while ((skb = skb_dequeue(&chan->tx_q))) {
1341 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
1342 control |= __set_txseq(chan, chan->next_tx_seq);
1343 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
1345 if (chan->fcs == L2CAP_FCS_CRC16) {
1346 fcs = crc16(0, (u8 *)skb->data,
1347 skb->len - L2CAP_FCS_SIZE);
1348 put_unaligned_le16(fcs,
1349 skb->data + skb->len - L2CAP_FCS_SIZE);
1352 l2cap_do_send(chan, skb);
1354 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1358 static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
1360 struct sk_buff *skb, *tx_skb;
1364 skb = skb_peek(&chan->tx_q);
1368 while (bt_cb(skb)->tx_seq != tx_seq) {
1369 if (skb_queue_is_last(&chan->tx_q, skb))
1372 skb = skb_queue_next(&chan->tx_q, skb);
1375 if (chan->remote_max_tx &&
1376 bt_cb(skb)->retries == chan->remote_max_tx) {
1377 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1381 tx_skb = skb_clone(skb, GFP_ATOMIC);
1382 bt_cb(skb)->retries++;
1384 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1385 control &= __get_sar_mask(chan);
1387 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1388 control |= __set_ctrl_final(chan);
1390 control |= __set_reqseq(chan, chan->buffer_seq);
1391 control |= __set_txseq(chan, tx_seq);
1393 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1395 if (chan->fcs == L2CAP_FCS_CRC16) {
1396 fcs = crc16(0, (u8 *)tx_skb->data,
1397 tx_skb->len - L2CAP_FCS_SIZE);
1398 put_unaligned_le16(fcs,
1399 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
1402 l2cap_do_send(chan, tx_skb);
1405 static int l2cap_ertm_send(struct l2cap_chan *chan)
1407 struct sk_buff *skb, *tx_skb;
1412 if (chan->state != BT_CONNECTED)
1415 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1417 if (chan->remote_max_tx &&
1418 bt_cb(skb)->retries == chan->remote_max_tx) {
1419 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1423 tx_skb = skb_clone(skb, GFP_ATOMIC);
1425 bt_cb(skb)->retries++;
1427 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1428 control &= __get_sar_mask(chan);
1430 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1431 control |= __set_ctrl_final(chan);
1433 control |= __set_reqseq(chan, chan->buffer_seq);
1434 control |= __set_txseq(chan, chan->next_tx_seq);
1436 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1438 if (chan->fcs == L2CAP_FCS_CRC16) {
1439 fcs = crc16(0, (u8 *)skb->data,
1440 tx_skb->len - L2CAP_FCS_SIZE);
1441 put_unaligned_le16(fcs, skb->data +
1442 tx_skb->len - L2CAP_FCS_SIZE);
1445 l2cap_do_send(chan, tx_skb);
1447 __set_retrans_timer(chan);
1449 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1451 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1453 if (bt_cb(skb)->retries == 1)
1454 chan->unacked_frames++;
1456 chan->frames_sent++;
1458 if (skb_queue_is_last(&chan->tx_q, skb))
1459 chan->tx_send_head = NULL;
1461 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1469 static int l2cap_retransmit_frames(struct l2cap_chan *chan)
1473 if (!skb_queue_empty(&chan->tx_q))
1474 chan->tx_send_head = chan->tx_q.next;
1476 chan->next_tx_seq = chan->expected_ack_seq;
1477 ret = l2cap_ertm_send(chan);
1481 static void __l2cap_send_ack(struct l2cap_chan *chan)
1485 control |= __set_reqseq(chan, chan->buffer_seq);
1487 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
1488 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
1489 set_bit(CONN_RNR_SENT, &chan->conn_state);
1490 l2cap_send_sframe(chan, control);
1494 if (l2cap_ertm_send(chan) > 0)
1497 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
1498 l2cap_send_sframe(chan, control);
1501 static void l2cap_send_ack(struct l2cap_chan *chan)
1503 __clear_ack_timer(chan);
1504 __l2cap_send_ack(chan);
1507 static void l2cap_send_srejtail(struct l2cap_chan *chan)
1509 struct srej_list *tail;
1512 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
1513 control |= __set_ctrl_final(chan);
1515 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
1516 control |= __set_reqseq(chan, tail->tx_seq);
1518 l2cap_send_sframe(chan, control);
1521 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1523 struct l2cap_conn *conn = chan->conn;
1524 struct sk_buff **frag;
1527 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1533 /* Continuation fragments (no L2CAP header) */
1534 frag = &skb_shinfo(skb)->frag_list;
1536 count = min_t(unsigned int, conn->mtu, len);
1538 *frag = chan->ops->alloc_skb(chan, count,
1539 msg->msg_flags & MSG_DONTWAIT, &err);
1543 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1546 (*frag)->priority = skb->priority;
1551 frag = &(*frag)->next;
1557 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1558 struct msghdr *msg, size_t len,
1561 struct sock *sk = chan->sk;
1562 struct l2cap_conn *conn = chan->conn;
1563 struct sk_buff *skb;
1564 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1565 struct l2cap_hdr *lh;
1567 BT_DBG("sk %p len %d priority %u", sk, (int)len, priority);
1569 count = min_t(unsigned int, (conn->mtu - hlen), len);
1571 skb = chan->ops->alloc_skb(chan, count + hlen,
1572 msg->msg_flags & MSG_DONTWAIT, &err);
1575 return ERR_PTR(err);
1577 skb->priority = priority;
1579 /* Create L2CAP header */
1580 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1581 lh->cid = cpu_to_le16(chan->dcid);
1582 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1583 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1585 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1586 if (unlikely(err < 0)) {
1588 return ERR_PTR(err);
1593 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1594 struct msghdr *msg, size_t len,
1597 struct sock *sk = chan->sk;
1598 struct l2cap_conn *conn = chan->conn;
1599 struct sk_buff *skb;
1600 int err, count, hlen = L2CAP_HDR_SIZE;
1601 struct l2cap_hdr *lh;
1603 BT_DBG("sk %p len %d", sk, (int)len);
1605 count = min_t(unsigned int, (conn->mtu - hlen), len);
1607 skb = chan->ops->alloc_skb(chan, count + hlen,
1608 msg->msg_flags & MSG_DONTWAIT, &err);
1611 return ERR_PTR(err);
1613 skb->priority = priority;
1615 /* Create L2CAP header */
1616 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1617 lh->cid = cpu_to_le16(chan->dcid);
1618 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1620 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1621 if (unlikely(err < 0)) {
1623 return ERR_PTR(err);
1628 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1629 struct msghdr *msg, size_t len,
1630 u32 control, u16 sdulen)
1632 struct sock *sk = chan->sk;
1633 struct l2cap_conn *conn = chan->conn;
1634 struct sk_buff *skb;
1635 int err, count, hlen;
1636 struct l2cap_hdr *lh;
1638 BT_DBG("sk %p len %d", sk, (int)len);
1641 return ERR_PTR(-ENOTCONN);
1643 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1644 hlen = L2CAP_EXT_HDR_SIZE;
1646 hlen = L2CAP_ENH_HDR_SIZE;
1649 hlen += L2CAP_SDULEN_SIZE;
1651 if (chan->fcs == L2CAP_FCS_CRC16)
1652 hlen += L2CAP_FCS_SIZE;
1654 count = min_t(unsigned int, (conn->mtu - hlen), len);
1656 skb = chan->ops->alloc_skb(chan, count + hlen,
1657 msg->msg_flags & MSG_DONTWAIT, &err);
1660 return ERR_PTR(err);
1662 /* Create L2CAP header */
1663 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1664 lh->cid = cpu_to_le16(chan->dcid);
1665 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1667 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1670 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1672 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1673 if (unlikely(err < 0)) {
1675 return ERR_PTR(err);
1678 if (chan->fcs == L2CAP_FCS_CRC16)
1679 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
1681 bt_cb(skb)->retries = 0;
1685 static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1687 struct sk_buff *skb;
1688 struct sk_buff_head sar_queue;
1692 skb_queue_head_init(&sar_queue);
1693 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
1694 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
1696 return PTR_ERR(skb);
1698 __skb_queue_tail(&sar_queue, skb);
1699 len -= chan->remote_mps;
1700 size += chan->remote_mps;
1705 if (len > chan->remote_mps) {
1706 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
1707 buflen = chan->remote_mps;
1709 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
1713 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
1715 skb_queue_purge(&sar_queue);
1716 return PTR_ERR(skb);
1719 __skb_queue_tail(&sar_queue, skb);
1723 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1724 if (chan->tx_send_head == NULL)
1725 chan->tx_send_head = sar_queue.next;
1730 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
1733 struct sk_buff *skb;
1737 /* Connectionless channel */
1738 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
1739 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
1741 return PTR_ERR(skb);
1743 l2cap_do_send(chan, skb);
1747 switch (chan->mode) {
1748 case L2CAP_MODE_BASIC:
1749 /* Check outgoing MTU */
1750 if (len > chan->omtu)
1753 /* Create a basic PDU */
1754 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
1756 return PTR_ERR(skb);
1758 l2cap_do_send(chan, skb);
1762 case L2CAP_MODE_ERTM:
1763 case L2CAP_MODE_STREAMING:
1764 /* Entire SDU fits into one PDU */
1765 if (len <= chan->remote_mps) {
1766 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
1767 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1770 return PTR_ERR(skb);
1772 __skb_queue_tail(&chan->tx_q, skb);
1774 if (chan->tx_send_head == NULL)
1775 chan->tx_send_head = skb;
1778 /* Segment SDU into multiples PDUs */
1779 err = l2cap_sar_segment_sdu(chan, msg, len);
1784 if (chan->mode == L2CAP_MODE_STREAMING) {
1785 l2cap_streaming_send(chan);
1790 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1791 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1796 err = l2cap_ertm_send(chan);
1803 BT_DBG("bad state %1.1x", chan->mode);
1810 /* Copy frame to all raw sockets on that connection */
1811 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1813 struct sk_buff *nskb;
1814 struct l2cap_chan *chan;
1816 BT_DBG("conn %p", conn);
1820 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
1821 struct sock *sk = chan->sk;
1822 if (chan->chan_type != L2CAP_CHAN_RAW)
1825 /* Don't send frame to the socket it came from */
1828 nskb = skb_clone(skb, GFP_ATOMIC);
1832 if (chan->ops->recv(chan->data, nskb))
1839 /* ---- L2CAP signalling commands ---- */
1840 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1841 u8 code, u8 ident, u16 dlen, void *data)
1843 struct sk_buff *skb, **frag;
1844 struct l2cap_cmd_hdr *cmd;
1845 struct l2cap_hdr *lh;
1848 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1849 conn, code, ident, dlen);
1851 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1852 count = min_t(unsigned int, conn->mtu, len);
1854 skb = bt_skb_alloc(count, GFP_ATOMIC);
1858 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1859 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1861 if (conn->hcon->type == LE_LINK)
1862 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1864 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1866 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1869 cmd->len = cpu_to_le16(dlen);
1872 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1873 memcpy(skb_put(skb, count), data, count);
1879 /* Continuation fragments (no L2CAP header) */
1880 frag = &skb_shinfo(skb)->frag_list;
1882 count = min_t(unsigned int, conn->mtu, len);
1884 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1888 memcpy(skb_put(*frag, count), data, count);
1893 frag = &(*frag)->next;
1903 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1905 struct l2cap_conf_opt *opt = *ptr;
1908 len = L2CAP_CONF_OPT_SIZE + opt->len;
1916 *val = *((u8 *) opt->val);
1920 *val = get_unaligned_le16(opt->val);
1924 *val = get_unaligned_le32(opt->val);
1928 *val = (unsigned long) opt->val;
1932 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1936 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1938 struct l2cap_conf_opt *opt = *ptr;
1940 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1947 *((u8 *) opt->val) = val;
1951 put_unaligned_le16(val, opt->val);
1955 put_unaligned_le32(val, opt->val);
1959 memcpy(opt->val, (void *) val, len);
1963 *ptr += L2CAP_CONF_OPT_SIZE + len;
1966 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1968 struct l2cap_conf_efs efs;
1970 switch (chan->mode) {
1971 case L2CAP_MODE_ERTM:
1972 efs.id = chan->local_id;
1973 efs.stype = chan->local_stype;
1974 efs.msdu = cpu_to_le16(chan->local_msdu);
1975 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1976 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1977 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1980 case L2CAP_MODE_STREAMING:
1982 efs.stype = L2CAP_SERV_BESTEFFORT;
1983 efs.msdu = cpu_to_le16(chan->local_msdu);
1984 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1993 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1994 (unsigned long) &efs);
1997 static void l2cap_ack_timeout(struct work_struct *work)
1999 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2002 BT_DBG("chan %p", chan);
2004 lock_sock(chan->sk);
2005 __l2cap_send_ack(chan);
2006 release_sock(chan->sk);
2008 l2cap_chan_put(chan);
2011 static inline void l2cap_ertm_init(struct l2cap_chan *chan)
2013 chan->expected_ack_seq = 0;
2014 chan->unacked_frames = 0;
2015 chan->buffer_seq = 0;
2016 chan->num_acked = 0;
2017 chan->frames_sent = 0;
2019 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2020 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2021 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
2023 skb_queue_head_init(&chan->srej_q);
2025 INIT_LIST_HEAD(&chan->srej_l);
2028 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2031 case L2CAP_MODE_STREAMING:
2032 case L2CAP_MODE_ERTM:
2033 if (l2cap_mode_supported(mode, remote_feat_mask))
2037 return L2CAP_MODE_BASIC;
2041 static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2043 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2046 static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2048 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2051 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2053 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2054 __l2cap_ews_supported(chan)) {
2055 /* use extended control field */
2056 set_bit(FLAG_EXT_CTRL, &chan->flags);
2057 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2059 chan->tx_win = min_t(u16, chan->tx_win,
2060 L2CAP_DEFAULT_TX_WINDOW);
2061 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2065 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
2067 struct l2cap_conf_req *req = data;
2068 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
2069 void *ptr = req->data;
2072 BT_DBG("chan %p", chan);
2074 if (chan->num_conf_req || chan->num_conf_rsp)
2077 switch (chan->mode) {
2078 case L2CAP_MODE_STREAMING:
2079 case L2CAP_MODE_ERTM:
2080 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
2083 if (__l2cap_efs_supported(chan))
2084 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2088 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
2093 if (chan->imtu != L2CAP_DEFAULT_MTU)
2094 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2096 switch (chan->mode) {
2097 case L2CAP_MODE_BASIC:
2098 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2099 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
2102 rfc.mode = L2CAP_MODE_BASIC;
2104 rfc.max_transmit = 0;
2105 rfc.retrans_timeout = 0;
2106 rfc.monitor_timeout = 0;
2107 rfc.max_pdu_size = 0;
2109 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2110 (unsigned long) &rfc);
2113 case L2CAP_MODE_ERTM:
2114 rfc.mode = L2CAP_MODE_ERTM;
2115 rfc.max_transmit = chan->max_tx;
2116 rfc.retrans_timeout = 0;
2117 rfc.monitor_timeout = 0;
2119 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2120 L2CAP_EXT_HDR_SIZE -
2123 rfc.max_pdu_size = cpu_to_le16(size);
2125 l2cap_txwin_setup(chan);
2127 rfc.txwin_size = min_t(u16, chan->tx_win,
2128 L2CAP_DEFAULT_TX_WINDOW);
2130 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2131 (unsigned long) &rfc);
2133 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2134 l2cap_add_opt_efs(&ptr, chan);
2136 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2139 if (chan->fcs == L2CAP_FCS_NONE ||
2140 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2141 chan->fcs = L2CAP_FCS_NONE;
2142 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2145 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2146 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2150 case L2CAP_MODE_STREAMING:
2151 rfc.mode = L2CAP_MODE_STREAMING;
2153 rfc.max_transmit = 0;
2154 rfc.retrans_timeout = 0;
2155 rfc.monitor_timeout = 0;
2157 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2158 L2CAP_EXT_HDR_SIZE -
2161 rfc.max_pdu_size = cpu_to_le16(size);
2163 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2164 (unsigned long) &rfc);
2166 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2167 l2cap_add_opt_efs(&ptr, chan);
2169 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2172 if (chan->fcs == L2CAP_FCS_NONE ||
2173 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2174 chan->fcs = L2CAP_FCS_NONE;
2175 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2180 req->dcid = cpu_to_le16(chan->dcid);
2181 req->flags = cpu_to_le16(0);
2186 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
2188 struct l2cap_conf_rsp *rsp = data;
2189 void *ptr = rsp->data;
2190 void *req = chan->conf_req;
2191 int len = chan->conf_len;
2192 int type, hint, olen;
2194 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2195 struct l2cap_conf_efs efs;
2197 u16 mtu = L2CAP_DEFAULT_MTU;
2198 u16 result = L2CAP_CONF_SUCCESS;
2201 BT_DBG("chan %p", chan);
2203 while (len >= L2CAP_CONF_OPT_SIZE) {
2204 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
2206 hint = type & L2CAP_CONF_HINT;
2207 type &= L2CAP_CONF_MASK;
2210 case L2CAP_CONF_MTU:
2214 case L2CAP_CONF_FLUSH_TO:
2215 chan->flush_to = val;
2218 case L2CAP_CONF_QOS:
2221 case L2CAP_CONF_RFC:
2222 if (olen == sizeof(rfc))
2223 memcpy(&rfc, (void *) val, olen);
2226 case L2CAP_CONF_FCS:
2227 if (val == L2CAP_FCS_NONE)
2228 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
2231 case L2CAP_CONF_EFS:
2233 if (olen == sizeof(efs))
2234 memcpy(&efs, (void *) val, olen);
2237 case L2CAP_CONF_EWS:
2239 return -ECONNREFUSED;
2241 set_bit(FLAG_EXT_CTRL, &chan->flags);
2242 set_bit(CONF_EWS_RECV, &chan->conf_state);
2243 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2244 chan->remote_tx_win = val;
2251 result = L2CAP_CONF_UNKNOWN;
2252 *((u8 *) ptr++) = type;
2257 if (chan->num_conf_rsp || chan->num_conf_req > 1)
2260 switch (chan->mode) {
2261 case L2CAP_MODE_STREAMING:
2262 case L2CAP_MODE_ERTM:
2263 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
2264 chan->mode = l2cap_select_mode(rfc.mode,
2265 chan->conn->feat_mask);
2270 if (__l2cap_efs_supported(chan))
2271 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2273 return -ECONNREFUSED;
2276 if (chan->mode != rfc.mode)
2277 return -ECONNREFUSED;
2283 if (chan->mode != rfc.mode) {
2284 result = L2CAP_CONF_UNACCEPT;
2285 rfc.mode = chan->mode;
2287 if (chan->num_conf_rsp == 1)
2288 return -ECONNREFUSED;
2290 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2291 sizeof(rfc), (unsigned long) &rfc);
2294 if (result == L2CAP_CONF_SUCCESS) {
2295 /* Configure output options and let the other side know
2296 * which ones we don't like. */
2298 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2299 result = L2CAP_CONF_UNACCEPT;
2302 set_bit(CONF_MTU_DONE, &chan->conf_state);
2304 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
2307 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2308 efs.stype != L2CAP_SERV_NOTRAFIC &&
2309 efs.stype != chan->local_stype) {
2311 result = L2CAP_CONF_UNACCEPT;
2313 if (chan->num_conf_req >= 1)
2314 return -ECONNREFUSED;
2316 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2318 (unsigned long) &efs);
2320 /* Send PENDING Conf Rsp */
2321 result = L2CAP_CONF_PENDING;
2322 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2327 case L2CAP_MODE_BASIC:
2328 chan->fcs = L2CAP_FCS_NONE;
2329 set_bit(CONF_MODE_DONE, &chan->conf_state);
2332 case L2CAP_MODE_ERTM:
2333 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2334 chan->remote_tx_win = rfc.txwin_size;
2336 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2338 chan->remote_max_tx = rfc.max_transmit;
2340 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2342 L2CAP_EXT_HDR_SIZE -
2345 rfc.max_pdu_size = cpu_to_le16(size);
2346 chan->remote_mps = size;
2348 rfc.retrans_timeout =
2349 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2350 rfc.monitor_timeout =
2351 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
2353 set_bit(CONF_MODE_DONE, &chan->conf_state);
2355 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2356 sizeof(rfc), (unsigned long) &rfc);
2358 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2359 chan->remote_id = efs.id;
2360 chan->remote_stype = efs.stype;
2361 chan->remote_msdu = le16_to_cpu(efs.msdu);
2362 chan->remote_flush_to =
2363 le32_to_cpu(efs.flush_to);
2364 chan->remote_acc_lat =
2365 le32_to_cpu(efs.acc_lat);
2366 chan->remote_sdu_itime =
2367 le32_to_cpu(efs.sdu_itime);
2368 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2369 sizeof(efs), (unsigned long) &efs);
2373 case L2CAP_MODE_STREAMING:
2374 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2376 L2CAP_EXT_HDR_SIZE -
2379 rfc.max_pdu_size = cpu_to_le16(size);
2380 chan->remote_mps = size;
2382 set_bit(CONF_MODE_DONE, &chan->conf_state);
2384 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2385 sizeof(rfc), (unsigned long) &rfc);
2390 result = L2CAP_CONF_UNACCEPT;
2392 memset(&rfc, 0, sizeof(rfc));
2393 rfc.mode = chan->mode;
2396 if (result == L2CAP_CONF_SUCCESS)
2397 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2399 rsp->scid = cpu_to_le16(chan->dcid);
2400 rsp->result = cpu_to_le16(result);
2401 rsp->flags = cpu_to_le16(0x0000);
2406 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
2408 struct l2cap_conf_req *req = data;
2409 void *ptr = req->data;
2412 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2413 struct l2cap_conf_efs efs;
2415 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
2417 while (len >= L2CAP_CONF_OPT_SIZE) {
2418 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2421 case L2CAP_CONF_MTU:
2422 if (val < L2CAP_DEFAULT_MIN_MTU) {
2423 *result = L2CAP_CONF_UNACCEPT;
2424 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
2427 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2430 case L2CAP_CONF_FLUSH_TO:
2431 chan->flush_to = val;
2432 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2436 case L2CAP_CONF_RFC:
2437 if (olen == sizeof(rfc))
2438 memcpy(&rfc, (void *)val, olen);
2440 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2441 rfc.mode != chan->mode)
2442 return -ECONNREFUSED;
2446 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2447 sizeof(rfc), (unsigned long) &rfc);
2450 case L2CAP_CONF_EWS:
2451 chan->tx_win = min_t(u16, val,
2452 L2CAP_DEFAULT_EXT_WINDOW);
2453 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2457 case L2CAP_CONF_EFS:
2458 if (olen == sizeof(efs))
2459 memcpy(&efs, (void *)val, olen);
2461 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2462 efs.stype != L2CAP_SERV_NOTRAFIC &&
2463 efs.stype != chan->local_stype)
2464 return -ECONNREFUSED;
2466 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2467 sizeof(efs), (unsigned long) &efs);
2472 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
2473 return -ECONNREFUSED;
2475 chan->mode = rfc.mode;
2477 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
2479 case L2CAP_MODE_ERTM:
2480 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2481 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2482 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2484 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2485 chan->local_msdu = le16_to_cpu(efs.msdu);
2486 chan->local_sdu_itime =
2487 le32_to_cpu(efs.sdu_itime);
2488 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2489 chan->local_flush_to =
2490 le32_to_cpu(efs.flush_to);
2494 case L2CAP_MODE_STREAMING:
2495 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2499 req->dcid = cpu_to_le16(chan->dcid);
2500 req->flags = cpu_to_le16(0x0000);
2505 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
2507 struct l2cap_conf_rsp *rsp = data;
2508 void *ptr = rsp->data;
2510 BT_DBG("chan %p", chan);
2512 rsp->scid = cpu_to_le16(chan->dcid);
2513 rsp->result = cpu_to_le16(result);
2514 rsp->flags = cpu_to_le16(flags);
2519 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2521 struct l2cap_conn_rsp rsp;
2522 struct l2cap_conn *conn = chan->conn;
2525 rsp.scid = cpu_to_le16(chan->dcid);
2526 rsp.dcid = cpu_to_le16(chan->scid);
2527 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2528 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2529 l2cap_send_cmd(conn, chan->ident,
2530 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2532 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2535 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2536 l2cap_build_conf_req(chan, buf), buf);
2537 chan->num_conf_req++;
2540 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
2544 struct l2cap_conf_rfc rfc;
2546 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
2548 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
2551 while (len >= L2CAP_CONF_OPT_SIZE) {
2552 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2555 case L2CAP_CONF_RFC:
2556 if (olen == sizeof(rfc))
2557 memcpy(&rfc, (void *)val, olen);
2562 /* Use sane default values in case a misbehaving remote device
2563 * did not send an RFC option.
2565 rfc.mode = chan->mode;
2566 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2567 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2568 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2570 BT_ERR("Expected RFC option was not found, using defaults");
2574 case L2CAP_MODE_ERTM:
2575 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2576 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2577 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2579 case L2CAP_MODE_STREAMING:
2580 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2584 static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2586 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
2588 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
2591 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2592 cmd->ident == conn->info_ident) {
2593 __cancel_delayed_work(&conn->info_timer);
2595 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2596 conn->info_ident = 0;
2598 l2cap_conn_start(conn);
2604 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2606 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2607 struct l2cap_conn_rsp rsp;
2608 struct l2cap_chan *chan = NULL, *pchan;
2609 struct sock *parent, *sk = NULL;
2610 int result, status = L2CAP_CS_NO_INFO;
2612 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2613 __le16 psm = req->psm;
2615 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2617 /* Check if we have socket listening on psm */
2618 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2620 result = L2CAP_CR_BAD_PSM;
2628 /* Check if the ACL is secure enough (if not SDP) */
2629 if (psm != cpu_to_le16(0x0001) &&
2630 !hci_conn_check_link_mode(conn->hcon)) {
2631 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
2632 result = L2CAP_CR_SEC_BLOCK;
2636 result = L2CAP_CR_NO_MEM;
2638 /* Check for backlog size */
2639 if (sk_acceptq_is_full(parent)) {
2640 BT_DBG("backlog full %d", parent->sk_ack_backlog);
2644 chan = pchan->ops->new_connection(pchan->data);
2650 /* Check if we already have channel with that dcid */
2651 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2652 sock_set_flag(sk, SOCK_ZAPPED);
2653 chan->ops->close(chan->data);
2657 hci_conn_hold(conn->hcon);
2659 bacpy(&bt_sk(sk)->src, conn->src);
2660 bacpy(&bt_sk(sk)->dst, conn->dst);
2664 bt_accept_enqueue(parent, sk);
2666 l2cap_chan_add(conn, chan);
2670 __set_chan_timer(chan, sk->sk_sndtimeo);
2672 chan->ident = cmd->ident;
2674 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2675 if (l2cap_chan_check_security(chan)) {
2676 if (bt_sk(sk)->defer_setup) {
2677 l2cap_state_change(chan, BT_CONNECT2);
2678 result = L2CAP_CR_PEND;
2679 status = L2CAP_CS_AUTHOR_PEND;
2680 parent->sk_data_ready(parent, 0);
2682 l2cap_state_change(chan, BT_CONFIG);
2683 result = L2CAP_CR_SUCCESS;
2684 status = L2CAP_CS_NO_INFO;
2687 l2cap_state_change(chan, BT_CONNECT2);
2688 result = L2CAP_CR_PEND;
2689 status = L2CAP_CS_AUTHEN_PEND;
2692 l2cap_state_change(chan, BT_CONNECT2);
2693 result = L2CAP_CR_PEND;
2694 status = L2CAP_CS_NO_INFO;
2698 release_sock(parent);
2701 rsp.scid = cpu_to_le16(scid);
2702 rsp.dcid = cpu_to_le16(dcid);
2703 rsp.result = cpu_to_le16(result);
2704 rsp.status = cpu_to_le16(status);
2705 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2707 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2708 struct l2cap_info_req info;
2709 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2711 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2712 conn->info_ident = l2cap_get_ident(conn);
2714 schedule_delayed_work(&conn->info_timer,
2715 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2717 l2cap_send_cmd(conn, conn->info_ident,
2718 L2CAP_INFO_REQ, sizeof(info), &info);
2721 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2722 result == L2CAP_CR_SUCCESS) {
2724 set_bit(CONF_REQ_SENT, &chan->conf_state);
2725 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2726 l2cap_build_conf_req(chan, buf), buf);
2727 chan->num_conf_req++;
2733 static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2735 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2736 u16 scid, dcid, result, status;
2737 struct l2cap_chan *chan;
2741 scid = __le16_to_cpu(rsp->scid);
2742 dcid = __le16_to_cpu(rsp->dcid);
2743 result = __le16_to_cpu(rsp->result);
2744 status = __le16_to_cpu(rsp->status);
2746 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2749 chan = l2cap_get_chan_by_scid(conn, scid);
2753 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
2761 case L2CAP_CR_SUCCESS:
2762 l2cap_state_change(chan, BT_CONFIG);
2765 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
2767 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2770 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2771 l2cap_build_conf_req(chan, req), req);
2772 chan->num_conf_req++;
2776 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
2780 l2cap_chan_del(chan, ECONNREFUSED);
2788 static inline void set_default_fcs(struct l2cap_chan *chan)
2790 /* FCS is enabled only in ERTM or streaming mode, if one or both
2793 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
2794 chan->fcs = L2CAP_FCS_NONE;
2795 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
2796 chan->fcs = L2CAP_FCS_CRC16;
2799 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2801 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2804 struct l2cap_chan *chan;
2808 dcid = __le16_to_cpu(req->dcid);
2809 flags = __le16_to_cpu(req->flags);
2811 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2813 chan = l2cap_get_chan_by_scid(conn, dcid);
2819 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
2820 struct l2cap_cmd_rej_cid rej;
2822 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2823 rej.scid = cpu_to_le16(chan->scid);
2824 rej.dcid = cpu_to_le16(chan->dcid);
2826 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2831 /* Reject if config buffer is too small. */
2832 len = cmd_len - sizeof(*req);
2833 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
2834 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2835 l2cap_build_conf_rsp(chan, rsp,
2836 L2CAP_CONF_REJECT, flags), rsp);
2841 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2842 chan->conf_len += len;
2844 if (flags & 0x0001) {
2845 /* Incomplete config. Send empty response. */
2846 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2847 l2cap_build_conf_rsp(chan, rsp,
2848 L2CAP_CONF_SUCCESS, 0x0001), rsp);
2852 /* Complete config. */
2853 len = l2cap_parse_conf_req(chan, rsp);
2855 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2859 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2860 chan->num_conf_rsp++;
2862 /* Reset config buffer. */
2865 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
2868 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
2869 set_default_fcs(chan);
2871 l2cap_state_change(chan, BT_CONNECTED);
2873 chan->next_tx_seq = 0;
2874 chan->expected_tx_seq = 0;
2875 skb_queue_head_init(&chan->tx_q);
2876 if (chan->mode == L2CAP_MODE_ERTM)
2877 l2cap_ertm_init(chan);
2879 l2cap_chan_ready(sk);
2883 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
2885 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2886 l2cap_build_conf_req(chan, buf), buf);
2887 chan->num_conf_req++;
2890 /* Got Conf Rsp PENDING from remote side and asume we sent
2891 Conf Rsp PENDING in the code above */
2892 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
2893 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2895 /* check compatibility */
2897 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2898 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2900 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2901 l2cap_build_conf_rsp(chan, rsp,
2902 L2CAP_CONF_SUCCESS, 0x0000), rsp);
2910 static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2912 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2913 u16 scid, flags, result;
2914 struct l2cap_chan *chan;
2916 int len = cmd->len - sizeof(*rsp);
2918 scid = __le16_to_cpu(rsp->scid);
2919 flags = __le16_to_cpu(rsp->flags);
2920 result = __le16_to_cpu(rsp->result);
2922 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2923 scid, flags, result);
2925 chan = l2cap_get_chan_by_scid(conn, scid);
2932 case L2CAP_CONF_SUCCESS:
2933 l2cap_conf_rfc_get(chan, rsp->data, len);
2934 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2937 case L2CAP_CONF_PENDING:
2938 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2940 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2943 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2946 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2950 /* check compatibility */
2952 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2953 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2955 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2956 l2cap_build_conf_rsp(chan, buf,
2957 L2CAP_CONF_SUCCESS, 0x0000), buf);
2961 case L2CAP_CONF_UNACCEPT:
2962 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
2965 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
2966 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2970 /* throw out any old stored conf requests */
2971 result = L2CAP_CONF_SUCCESS;
2972 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2975 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2979 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2980 L2CAP_CONF_REQ, len, req);
2981 chan->num_conf_req++;
2982 if (result != L2CAP_CONF_SUCCESS)
2988 sk->sk_err = ECONNRESET;
2989 __set_chan_timer(chan,
2990 msecs_to_jiffies(L2CAP_DISC_REJ_TIMEOUT));
2991 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2998 set_bit(CONF_INPUT_DONE, &chan->conf_state);
3000 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
3001 set_default_fcs(chan);
3003 l2cap_state_change(chan, BT_CONNECTED);
3004 chan->next_tx_seq = 0;
3005 chan->expected_tx_seq = 0;
3006 skb_queue_head_init(&chan->tx_q);
3007 if (chan->mode == L2CAP_MODE_ERTM)
3008 l2cap_ertm_init(chan);
3010 l2cap_chan_ready(sk);
3018 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3020 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3021 struct l2cap_disconn_rsp rsp;
3023 struct l2cap_chan *chan;
3026 scid = __le16_to_cpu(req->scid);
3027 dcid = __le16_to_cpu(req->dcid);
3029 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3031 chan = l2cap_get_chan_by_scid(conn, dcid);
3037 rsp.dcid = cpu_to_le16(chan->scid);
3038 rsp.scid = cpu_to_le16(chan->dcid);
3039 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3041 sk->sk_shutdown = SHUTDOWN_MASK;
3043 l2cap_chan_del(chan, ECONNRESET);
3046 chan->ops->close(chan->data);
3050 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3052 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3054 struct l2cap_chan *chan;
3057 scid = __le16_to_cpu(rsp->scid);
3058 dcid = __le16_to_cpu(rsp->dcid);
3060 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3062 chan = l2cap_get_chan_by_scid(conn, scid);
3068 l2cap_chan_del(chan, 0);
3071 chan->ops->close(chan->data);
3075 static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3077 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
3080 type = __le16_to_cpu(req->type);
3082 BT_DBG("type 0x%4.4x", type);
3084 if (type == L2CAP_IT_FEAT_MASK) {
3086 u32 feat_mask = l2cap_feat_mask;
3087 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3088 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3089 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3091 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3094 feat_mask |= L2CAP_FEAT_EXT_FLOW
3095 | L2CAP_FEAT_EXT_WINDOW;
3097 put_unaligned_le32(feat_mask, rsp->data);
3098 l2cap_send_cmd(conn, cmd->ident,
3099 L2CAP_INFO_RSP, sizeof(buf), buf);
3100 } else if (type == L2CAP_IT_FIXED_CHAN) {
3102 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3105 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3107 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3109 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3110 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3111 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
3112 l2cap_send_cmd(conn, cmd->ident,
3113 L2CAP_INFO_RSP, sizeof(buf), buf);
3115 struct l2cap_info_rsp rsp;
3116 rsp.type = cpu_to_le16(type);
3117 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3118 l2cap_send_cmd(conn, cmd->ident,
3119 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3125 static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3127 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3130 type = __le16_to_cpu(rsp->type);
3131 result = __le16_to_cpu(rsp->result);
3133 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3135 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3136 if (cmd->ident != conn->info_ident ||
3137 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3140 __cancel_delayed_work(&conn->info_timer);
3142 if (result != L2CAP_IR_SUCCESS) {
3143 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3144 conn->info_ident = 0;
3146 l2cap_conn_start(conn);
3151 if (type == L2CAP_IT_FEAT_MASK) {
3152 conn->feat_mask = get_unaligned_le32(rsp->data);
3154 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
3155 struct l2cap_info_req req;
3156 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3158 conn->info_ident = l2cap_get_ident(conn);
3160 l2cap_send_cmd(conn, conn->info_ident,
3161 L2CAP_INFO_REQ, sizeof(req), &req);
3163 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3164 conn->info_ident = 0;
3166 l2cap_conn_start(conn);
3168 } else if (type == L2CAP_IT_FIXED_CHAN) {
3169 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3170 conn->info_ident = 0;
3172 l2cap_conn_start(conn);
3178 static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3179 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3182 struct l2cap_create_chan_req *req = data;
3183 struct l2cap_create_chan_rsp rsp;
3186 if (cmd_len != sizeof(*req))
3192 psm = le16_to_cpu(req->psm);
3193 scid = le16_to_cpu(req->scid);
3195 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3197 /* Placeholder: Always reject */
3199 rsp.scid = cpu_to_le16(scid);
3200 rsp.result = L2CAP_CR_NO_MEM;
3201 rsp.status = L2CAP_CS_NO_INFO;
3203 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3209 static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3210 struct l2cap_cmd_hdr *cmd, void *data)
3212 BT_DBG("conn %p", conn);
3214 return l2cap_connect_rsp(conn, cmd, data);
3217 static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3218 u16 icid, u16 result)
3220 struct l2cap_move_chan_rsp rsp;
3222 BT_DBG("icid %d, result %d", icid, result);
3224 rsp.icid = cpu_to_le16(icid);
3225 rsp.result = cpu_to_le16(result);
3227 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3230 static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3231 struct l2cap_chan *chan, u16 icid, u16 result)
3233 struct l2cap_move_chan_cfm cfm;
3236 BT_DBG("icid %d, result %d", icid, result);
3238 ident = l2cap_get_ident(conn);
3240 chan->ident = ident;
3242 cfm.icid = cpu_to_le16(icid);
3243 cfm.result = cpu_to_le16(result);
3245 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3248 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3251 struct l2cap_move_chan_cfm_rsp rsp;
3253 BT_DBG("icid %d", icid);
3255 rsp.icid = cpu_to_le16(icid);
3256 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3259 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3260 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3262 struct l2cap_move_chan_req *req = data;
3264 u16 result = L2CAP_MR_NOT_ALLOWED;
3266 if (cmd_len != sizeof(*req))
3269 icid = le16_to_cpu(req->icid);
3271 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3276 /* Placeholder: Always refuse */
3277 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3282 static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3283 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3285 struct l2cap_move_chan_rsp *rsp = data;
3288 if (cmd_len != sizeof(*rsp))
3291 icid = le16_to_cpu(rsp->icid);
3292 result = le16_to_cpu(rsp->result);
3294 BT_DBG("icid %d, result %d", icid, result);
3296 /* Placeholder: Always unconfirmed */
3297 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3302 static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3303 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3305 struct l2cap_move_chan_cfm *cfm = data;
3308 if (cmd_len != sizeof(*cfm))
3311 icid = le16_to_cpu(cfm->icid);
3312 result = le16_to_cpu(cfm->result);
3314 BT_DBG("icid %d, result %d", icid, result);
3316 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3321 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3322 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3324 struct l2cap_move_chan_cfm_rsp *rsp = data;
3327 if (cmd_len != sizeof(*rsp))
3330 icid = le16_to_cpu(rsp->icid);
3332 BT_DBG("icid %d", icid);
3337 static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
3342 if (min > max || min < 6 || max > 3200)
3345 if (to_multiplier < 10 || to_multiplier > 3200)
3348 if (max >= to_multiplier * 8)
3351 max_latency = (to_multiplier * 8 / max) - 1;
3352 if (latency > 499 || latency > max_latency)
3358 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3359 struct l2cap_cmd_hdr *cmd, u8 *data)
3361 struct hci_conn *hcon = conn->hcon;
3362 struct l2cap_conn_param_update_req *req;
3363 struct l2cap_conn_param_update_rsp rsp;
3364 u16 min, max, latency, to_multiplier, cmd_len;
3367 if (!(hcon->link_mode & HCI_LM_MASTER))
3370 cmd_len = __le16_to_cpu(cmd->len);
3371 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3374 req = (struct l2cap_conn_param_update_req *) data;
3375 min = __le16_to_cpu(req->min);
3376 max = __le16_to_cpu(req->max);
3377 latency = __le16_to_cpu(req->latency);
3378 to_multiplier = __le16_to_cpu(req->to_multiplier);
3380 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3381 min, max, latency, to_multiplier);
3383 memset(&rsp, 0, sizeof(rsp));
3385 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3387 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3389 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3391 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3395 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3400 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3401 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3405 switch (cmd->code) {
3406 case L2CAP_COMMAND_REJ:
3407 l2cap_command_rej(conn, cmd, data);
3410 case L2CAP_CONN_REQ:
3411 err = l2cap_connect_req(conn, cmd, data);
3414 case L2CAP_CONN_RSP:
3415 err = l2cap_connect_rsp(conn, cmd, data);
3418 case L2CAP_CONF_REQ:
3419 err = l2cap_config_req(conn, cmd, cmd_len, data);
3422 case L2CAP_CONF_RSP:
3423 err = l2cap_config_rsp(conn, cmd, data);
3426 case L2CAP_DISCONN_REQ:
3427 err = l2cap_disconnect_req(conn, cmd, data);
3430 case L2CAP_DISCONN_RSP:
3431 err = l2cap_disconnect_rsp(conn, cmd, data);
3434 case L2CAP_ECHO_REQ:
3435 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3438 case L2CAP_ECHO_RSP:
3441 case L2CAP_INFO_REQ:
3442 err = l2cap_information_req(conn, cmd, data);
3445 case L2CAP_INFO_RSP:
3446 err = l2cap_information_rsp(conn, cmd, data);
3449 case L2CAP_CREATE_CHAN_REQ:
3450 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3453 case L2CAP_CREATE_CHAN_RSP:
3454 err = l2cap_create_channel_rsp(conn, cmd, data);
3457 case L2CAP_MOVE_CHAN_REQ:
3458 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3461 case L2CAP_MOVE_CHAN_RSP:
3462 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3465 case L2CAP_MOVE_CHAN_CFM:
3466 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3469 case L2CAP_MOVE_CHAN_CFM_RSP:
3470 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3474 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3482 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3483 struct l2cap_cmd_hdr *cmd, u8 *data)
3485 switch (cmd->code) {
3486 case L2CAP_COMMAND_REJ:
3489 case L2CAP_CONN_PARAM_UPDATE_REQ:
3490 return l2cap_conn_param_update_req(conn, cmd, data);
3492 case L2CAP_CONN_PARAM_UPDATE_RSP:
3496 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3501 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3502 struct sk_buff *skb)
3504 u8 *data = skb->data;
3506 struct l2cap_cmd_hdr cmd;
3509 l2cap_raw_recv(conn, skb);
3511 while (len >= L2CAP_CMD_HDR_SIZE) {
3513 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3514 data += L2CAP_CMD_HDR_SIZE;
3515 len -= L2CAP_CMD_HDR_SIZE;
3517 cmd_len = le16_to_cpu(cmd.len);
3519 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
3521 if (cmd_len > len || !cmd.ident) {
3522 BT_DBG("corrupted command");
3526 if (conn->hcon->type == LE_LINK)
3527 err = l2cap_le_sig_cmd(conn, &cmd, data);
3529 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
3532 struct l2cap_cmd_rej_unk rej;
3534 BT_ERR("Wrong link type (%d)", err);
3536 /* FIXME: Map err to a valid reason */
3537 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
3538 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3548 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
3550 u16 our_fcs, rcv_fcs;
3553 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3554 hdr_size = L2CAP_EXT_HDR_SIZE;
3556 hdr_size = L2CAP_ENH_HDR_SIZE;
3558 if (chan->fcs == L2CAP_FCS_CRC16) {
3559 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
3560 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3561 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3563 if (our_fcs != rcv_fcs)
3569 static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
3573 chan->frames_sent = 0;
3575 control |= __set_reqseq(chan, chan->buffer_seq);
3577 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3578 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
3579 l2cap_send_sframe(chan, control);
3580 set_bit(CONN_RNR_SENT, &chan->conn_state);
3583 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
3584 l2cap_retransmit_frames(chan);
3586 l2cap_ertm_send(chan);
3588 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
3589 chan->frames_sent == 0) {
3590 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
3591 l2cap_send_sframe(chan, control);
3595 static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
3597 struct sk_buff *next_skb;
3598 int tx_seq_offset, next_tx_seq_offset;
3600 bt_cb(skb)->tx_seq = tx_seq;
3601 bt_cb(skb)->sar = sar;
3603 next_skb = skb_peek(&chan->srej_q);
3605 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
3608 if (bt_cb(next_skb)->tx_seq == tx_seq)
3611 next_tx_seq_offset = __seq_offset(chan,
3612 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
3614 if (next_tx_seq_offset > tx_seq_offset) {
3615 __skb_queue_before(&chan->srej_q, next_skb, skb);
3619 if (skb_queue_is_last(&chan->srej_q, next_skb))
3622 next_skb = skb_queue_next(&chan->srej_q, next_skb);
3625 __skb_queue_tail(&chan->srej_q, skb);
3630 static void append_skb_frag(struct sk_buff *skb,
3631 struct sk_buff *new_frag, struct sk_buff **last_frag)
3633 /* skb->len reflects data in skb as well as all fragments
3634 * skb->data_len reflects only data in fragments
3636 if (!skb_has_frag_list(skb))
3637 skb_shinfo(skb)->frag_list = new_frag;
3639 new_frag->next = NULL;
3641 (*last_frag)->next = new_frag;
3642 *last_frag = new_frag;
3644 skb->len += new_frag->len;
3645 skb->data_len += new_frag->len;
3646 skb->truesize += new_frag->truesize;
3649 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
3653 switch (__get_ctrl_sar(chan, control)) {
3654 case L2CAP_SAR_UNSEGMENTED:
3658 err = chan->ops->recv(chan->data, skb);
3661 case L2CAP_SAR_START:
3665 chan->sdu_len = get_unaligned_le16(skb->data);
3666 skb_pull(skb, L2CAP_SDULEN_SIZE);
3668 if (chan->sdu_len > chan->imtu) {
3673 if (skb->len >= chan->sdu_len)
3677 chan->sdu_last_frag = skb;
3683 case L2CAP_SAR_CONTINUE:
3687 append_skb_frag(chan->sdu, skb,
3688 &chan->sdu_last_frag);
3691 if (chan->sdu->len >= chan->sdu_len)
3701 append_skb_frag(chan->sdu, skb,
3702 &chan->sdu_last_frag);
3705 if (chan->sdu->len != chan->sdu_len)
3708 err = chan->ops->recv(chan->data, chan->sdu);
3711 /* Reassembly complete */
3713 chan->sdu_last_frag = NULL;
3721 kfree_skb(chan->sdu);
3723 chan->sdu_last_frag = NULL;
3730 static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
3732 BT_DBG("chan %p, Enter local busy", chan);
3734 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3736 __set_ack_timer(chan);
3739 static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3743 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3746 control = __set_reqseq(chan, chan->buffer_seq);
3747 control |= __set_ctrl_poll(chan);
3748 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
3749 l2cap_send_sframe(chan, control);
3750 chan->retry_count = 1;
3752 __clear_retrans_timer(chan);
3753 __set_monitor_timer(chan);
3755 set_bit(CONN_WAIT_F, &chan->conn_state);
3758 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3759 clear_bit(CONN_RNR_SENT, &chan->conn_state);
3761 BT_DBG("chan %p, Exit local busy", chan);
3764 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
3766 if (chan->mode == L2CAP_MODE_ERTM) {
3768 l2cap_ertm_enter_local_busy(chan);
3770 l2cap_ertm_exit_local_busy(chan);
3774 static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
3776 struct sk_buff *skb;
3779 while ((skb = skb_peek(&chan->srej_q)) &&
3780 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3783 if (bt_cb(skb)->tx_seq != tx_seq)
3786 skb = skb_dequeue(&chan->srej_q);
3787 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
3788 err = l2cap_reassemble_sdu(chan, skb, control);
3791 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3795 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3796 tx_seq = __next_seq(chan, tx_seq);
3800 static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
3802 struct srej_list *l, *tmp;
3805 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
3806 if (l->tx_seq == tx_seq) {
3811 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
3812 control |= __set_reqseq(chan, l->tx_seq);
3813 l2cap_send_sframe(chan, control);
3815 list_add_tail(&l->list, &chan->srej_l);
3819 static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
3821 struct srej_list *new;
3824 while (tx_seq != chan->expected_tx_seq) {
3825 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
3826 control |= __set_reqseq(chan, chan->expected_tx_seq);
3827 l2cap_send_sframe(chan, control);
3829 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3833 new->tx_seq = chan->expected_tx_seq;
3835 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3837 list_add_tail(&new->list, &chan->srej_l);
3840 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3845 static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
3847 u16 tx_seq = __get_txseq(chan, rx_control);
3848 u16 req_seq = __get_reqseq(chan, rx_control);
3849 u8 sar = __get_ctrl_sar(chan, rx_control);
3850 int tx_seq_offset, expected_tx_seq_offset;
3851 int num_to_ack = (chan->tx_win/6) + 1;
3854 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
3855 tx_seq, rx_control);
3857 if (__is_ctrl_final(chan, rx_control) &&
3858 test_bit(CONN_WAIT_F, &chan->conn_state)) {
3859 __clear_monitor_timer(chan);
3860 if (chan->unacked_frames > 0)
3861 __set_retrans_timer(chan);
3862 clear_bit(CONN_WAIT_F, &chan->conn_state);
3865 chan->expected_ack_seq = req_seq;
3866 l2cap_drop_acked_frames(chan);
3868 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
3870 /* invalid tx_seq */
3871 if (tx_seq_offset >= chan->tx_win) {
3872 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3876 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3877 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3878 l2cap_send_ack(chan);
3882 if (tx_seq == chan->expected_tx_seq)
3885 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3886 struct srej_list *first;
3888 first = list_first_entry(&chan->srej_l,
3889 struct srej_list, list);
3890 if (tx_seq == first->tx_seq) {
3891 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3892 l2cap_check_srej_gap(chan, tx_seq);
3894 list_del(&first->list);
3897 if (list_empty(&chan->srej_l)) {
3898 chan->buffer_seq = chan->buffer_seq_srej;
3899 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
3900 l2cap_send_ack(chan);
3901 BT_DBG("chan %p, Exit SREJ_SENT", chan);
3904 struct srej_list *l;
3906 /* duplicated tx_seq */
3907 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
3910 list_for_each_entry(l, &chan->srej_l, list) {
3911 if (l->tx_seq == tx_seq) {
3912 l2cap_resend_srejframe(chan, tx_seq);
3917 err = l2cap_send_srejframe(chan, tx_seq);
3919 l2cap_send_disconn_req(chan->conn, chan, -err);
3924 expected_tx_seq_offset = __seq_offset(chan,
3925 chan->expected_tx_seq, chan->buffer_seq);
3927 /* duplicated tx_seq */
3928 if (tx_seq_offset < expected_tx_seq_offset)
3931 set_bit(CONN_SREJ_SENT, &chan->conn_state);
3933 BT_DBG("chan %p, Enter SREJ", chan);
3935 INIT_LIST_HEAD(&chan->srej_l);
3936 chan->buffer_seq_srej = chan->buffer_seq;
3938 __skb_queue_head_init(&chan->srej_q);
3939 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3941 /* Set P-bit only if there are some I-frames to ack. */
3942 if (__clear_ack_timer(chan))
3943 set_bit(CONN_SEND_PBIT, &chan->conn_state);
3945 err = l2cap_send_srejframe(chan, tx_seq);
3947 l2cap_send_disconn_req(chan->conn, chan, -err);
3954 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3956 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3957 bt_cb(skb)->tx_seq = tx_seq;
3958 bt_cb(skb)->sar = sar;
3959 __skb_queue_tail(&chan->srej_q, skb);
3963 err = l2cap_reassemble_sdu(chan, skb, rx_control);
3964 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3967 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3971 if (__is_ctrl_final(chan, rx_control)) {
3972 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3973 l2cap_retransmit_frames(chan);
3977 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3978 if (chan->num_acked == num_to_ack - 1)
3979 l2cap_send_ack(chan);
3981 __set_ack_timer(chan);
3990 static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
3992 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
3993 __get_reqseq(chan, rx_control), rx_control);
3995 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
3996 l2cap_drop_acked_frames(chan);
3998 if (__is_ctrl_poll(chan, rx_control)) {
3999 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4000 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4001 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4002 (chan->unacked_frames > 0))
4003 __set_retrans_timer(chan);
4005 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4006 l2cap_send_srejtail(chan);
4008 l2cap_send_i_or_rr_or_rnr(chan);
4011 } else if (__is_ctrl_final(chan, rx_control)) {
4012 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4014 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4015 l2cap_retransmit_frames(chan);
4018 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4019 (chan->unacked_frames > 0))
4020 __set_retrans_timer(chan);
4022 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4023 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
4024 l2cap_send_ack(chan);
4026 l2cap_ertm_send(chan);
4030 static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
4032 u16 tx_seq = __get_reqseq(chan, rx_control);
4034 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4036 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4038 chan->expected_ack_seq = tx_seq;
4039 l2cap_drop_acked_frames(chan);
4041 if (__is_ctrl_final(chan, rx_control)) {
4042 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4043 l2cap_retransmit_frames(chan);
4045 l2cap_retransmit_frames(chan);
4047 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4048 set_bit(CONN_REJ_ACT, &chan->conn_state);
4051 static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
4053 u16 tx_seq = __get_reqseq(chan, rx_control);
4055 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4057 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4059 if (__is_ctrl_poll(chan, rx_control)) {
4060 chan->expected_ack_seq = tx_seq;
4061 l2cap_drop_acked_frames(chan);
4063 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4064 l2cap_retransmit_one_frame(chan, tx_seq);
4066 l2cap_ertm_send(chan);
4068 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
4069 chan->srej_save_reqseq = tx_seq;
4070 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4072 } else if (__is_ctrl_final(chan, rx_control)) {
4073 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
4074 chan->srej_save_reqseq == tx_seq)
4075 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4077 l2cap_retransmit_one_frame(chan, tx_seq);
4079 l2cap_retransmit_one_frame(chan, tx_seq);
4080 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
4081 chan->srej_save_reqseq = tx_seq;
4082 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4087 static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
4089 u16 tx_seq = __get_reqseq(chan, rx_control);
4091 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4093 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4094 chan->expected_ack_seq = tx_seq;
4095 l2cap_drop_acked_frames(chan);
4097 if (__is_ctrl_poll(chan, rx_control))
4098 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4100 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4101 __clear_retrans_timer(chan);
4102 if (__is_ctrl_poll(chan, rx_control))
4103 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
4107 if (__is_ctrl_poll(chan, rx_control)) {
4108 l2cap_send_srejtail(chan);
4110 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4111 l2cap_send_sframe(chan, rx_control);
4115 static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
4117 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
4119 if (__is_ctrl_final(chan, rx_control) &&
4120 test_bit(CONN_WAIT_F, &chan->conn_state)) {
4121 __clear_monitor_timer(chan);
4122 if (chan->unacked_frames > 0)
4123 __set_retrans_timer(chan);
4124 clear_bit(CONN_WAIT_F, &chan->conn_state);
4127 switch (__get_ctrl_super(chan, rx_control)) {
4128 case L2CAP_SUPER_RR:
4129 l2cap_data_channel_rrframe(chan, rx_control);
4132 case L2CAP_SUPER_REJ:
4133 l2cap_data_channel_rejframe(chan, rx_control);
4136 case L2CAP_SUPER_SREJ:
4137 l2cap_data_channel_srejframe(chan, rx_control);
4140 case L2CAP_SUPER_RNR:
4141 l2cap_data_channel_rnrframe(chan, rx_control);
4149 int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
4153 int len, next_tx_seq_offset, req_seq_offset;
4155 control = __get_control(chan, skb->data);
4156 skb_pull(skb, __ctrl_size(chan));
4160 * We can just drop the corrupted I-frame here.
4161 * Receiver will miss it and start proper recovery
4162 * procedures and ask retransmission.
4164 if (l2cap_check_fcs(chan, skb))
4167 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
4168 len -= L2CAP_SDULEN_SIZE;
4170 if (chan->fcs == L2CAP_FCS_CRC16)
4171 len -= L2CAP_FCS_SIZE;
4173 if (len > chan->mps) {
4174 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4178 req_seq = __get_reqseq(chan, control);
4180 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4182 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4183 chan->expected_ack_seq);
4185 /* check for invalid req-seq */
4186 if (req_seq_offset > next_tx_seq_offset) {
4187 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4191 if (!__is_sframe(chan, control)) {
4193 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4197 l2cap_data_channel_iframe(chan, control, skb);
4201 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4205 l2cap_data_channel_sframe(chan, control, skb);
4215 static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4217 struct l2cap_chan *chan;
4218 struct sock *sk = NULL;
4223 chan = l2cap_get_chan_by_scid(conn, cid);
4225 BT_DBG("unknown cid 0x%4.4x", cid);
4231 BT_DBG("chan %p, len %d", chan, skb->len);
4233 if (chan->state != BT_CONNECTED)
4236 switch (chan->mode) {
4237 case L2CAP_MODE_BASIC:
4238 /* If socket recv buffers overflows we drop data here
4239 * which is *bad* because L2CAP has to be reliable.
4240 * But we don't have any other choice. L2CAP doesn't
4241 * provide flow control mechanism. */
4243 if (chan->imtu < skb->len)
4246 if (!chan->ops->recv(chan->data, skb))
4250 case L2CAP_MODE_ERTM:
4251 l2cap_ertm_data_rcv(chan, skb);
4255 case L2CAP_MODE_STREAMING:
4256 control = __get_control(chan, skb->data);
4257 skb_pull(skb, __ctrl_size(chan));
4260 if (l2cap_check_fcs(chan, skb))
4263 if (__is_sar_start(chan, control))
4264 len -= L2CAP_SDULEN_SIZE;
4266 if (chan->fcs == L2CAP_FCS_CRC16)
4267 len -= L2CAP_FCS_SIZE;
4269 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
4272 tx_seq = __get_txseq(chan, control);
4274 if (chan->expected_tx_seq != tx_seq) {
4275 /* Frame(s) missing - must discard partial SDU */
4276 kfree_skb(chan->sdu);
4278 chan->sdu_last_frag = NULL;
4281 /* TODO: Notify userland of missing data */
4284 chan->expected_tx_seq = __next_seq(chan, tx_seq);
4286 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4287 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4292 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
4306 static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
4308 struct sock *sk = NULL;
4309 struct l2cap_chan *chan;
4311 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
4319 BT_DBG("sk %p, len %d", sk, skb->len);
4321 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
4324 if (chan->imtu < skb->len)
4327 if (!chan->ops->recv(chan->data, skb))
4339 static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4341 struct sock *sk = NULL;
4342 struct l2cap_chan *chan;
4344 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4352 BT_DBG("sk %p, len %d", sk, skb->len);
4354 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
4357 if (chan->imtu < skb->len)
4360 if (!chan->ops->recv(chan->data, skb))
4372 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4374 struct l2cap_hdr *lh = (void *) skb->data;
4378 skb_pull(skb, L2CAP_HDR_SIZE);
4379 cid = __le16_to_cpu(lh->cid);
4380 len = __le16_to_cpu(lh->len);
4382 if (len != skb->len) {
4387 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4390 case L2CAP_CID_LE_SIGNALING:
4391 case L2CAP_CID_SIGNALING:
4392 l2cap_sig_channel(conn, skb);
4395 case L2CAP_CID_CONN_LESS:
4396 psm = get_unaligned_le16(skb->data);
4398 l2cap_conless_channel(conn, psm, skb);
4401 case L2CAP_CID_LE_DATA:
4402 l2cap_att_channel(conn, cid, skb);
4406 if (smp_sig_channel(conn, skb))
4407 l2cap_conn_del(conn->hcon, EACCES);
4411 l2cap_data_channel(conn, cid, skb);
4416 /* ---- L2CAP interface with lower layer (HCI) ---- */
4418 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
4420 int exact = 0, lm1 = 0, lm2 = 0;
4421 struct l2cap_chan *c;
4423 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4425 /* Find listening sockets and check their link_mode */
4426 read_lock(&chan_list_lock);
4427 list_for_each_entry(c, &chan_list, global_l) {
4428 struct sock *sk = c->sk;
4430 if (c->state != BT_LISTEN)
4433 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
4434 lm1 |= HCI_LM_ACCEPT;
4435 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4436 lm1 |= HCI_LM_MASTER;
4438 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4439 lm2 |= HCI_LM_ACCEPT;
4440 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4441 lm2 |= HCI_LM_MASTER;
4444 read_unlock(&chan_list_lock);
4446 return exact ? lm1 : lm2;
4449 int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4451 struct l2cap_conn *conn;
4453 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4456 conn = l2cap_conn_add(hcon, status);
4458 l2cap_conn_ready(conn);
4460 l2cap_conn_del(hcon, bt_to_errno(status));
4465 int l2cap_disconn_ind(struct hci_conn *hcon)
4467 struct l2cap_conn *conn = hcon->l2cap_data;
4469 BT_DBG("hcon %p", hcon);
4472 return HCI_ERROR_REMOTE_USER_TERM;
4473 return conn->disc_reason;
4476 int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
4478 BT_DBG("hcon %p reason %d", hcon, reason);
4480 l2cap_conn_del(hcon, bt_to_errno(reason));
4484 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
4486 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
4489 if (encrypt == 0x00) {
4490 if (chan->sec_level == BT_SECURITY_MEDIUM) {
4491 __clear_chan_timer(chan);
4492 __set_chan_timer(chan,
4493 msecs_to_jiffies(L2CAP_ENC_TIMEOUT));
4494 } else if (chan->sec_level == BT_SECURITY_HIGH)
4495 l2cap_chan_close(chan, ECONNREFUSED);
4497 if (chan->sec_level == BT_SECURITY_MEDIUM)
4498 __clear_chan_timer(chan);
4502 int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4504 struct l2cap_conn *conn = hcon->l2cap_data;
4505 struct l2cap_chan *chan;
4510 BT_DBG("conn %p", conn);
4512 if (hcon->type == LE_LINK) {
4513 smp_distribute_keys(conn, 0);
4514 __cancel_delayed_work(&conn->security_timer);
4519 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
4520 struct sock *sk = chan->sk;
4524 BT_DBG("chan->scid %d", chan->scid);
4526 if (chan->scid == L2CAP_CID_LE_DATA) {
4527 if (!status && encrypt) {
4528 chan->sec_level = hcon->sec_level;
4529 l2cap_chan_ready(sk);
4536 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
4541 if (!status && (chan->state == BT_CONNECTED ||
4542 chan->state == BT_CONFIG)) {
4543 l2cap_check_encryption(chan, encrypt);
4548 if (chan->state == BT_CONNECT) {
4550 struct l2cap_conn_req req;
4551 req.scid = cpu_to_le16(chan->scid);
4552 req.psm = chan->psm;
4554 chan->ident = l2cap_get_ident(conn);
4555 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4557 l2cap_send_cmd(conn, chan->ident,
4558 L2CAP_CONN_REQ, sizeof(req), &req);
4560 __clear_chan_timer(chan);
4561 __set_chan_timer(chan,
4562 msecs_to_jiffies(L2CAP_DISC_TIMEOUT));
4564 } else if (chan->state == BT_CONNECT2) {
4565 struct l2cap_conn_rsp rsp;
4569 if (bt_sk(sk)->defer_setup) {
4570 struct sock *parent = bt_sk(sk)->parent;
4571 res = L2CAP_CR_PEND;
4572 stat = L2CAP_CS_AUTHOR_PEND;
4574 parent->sk_data_ready(parent, 0);
4576 l2cap_state_change(chan, BT_CONFIG);
4577 res = L2CAP_CR_SUCCESS;
4578 stat = L2CAP_CS_NO_INFO;
4581 l2cap_state_change(chan, BT_DISCONN);
4582 __set_chan_timer(chan,
4583 msecs_to_jiffies(L2CAP_DISC_TIMEOUT));
4584 res = L2CAP_CR_SEC_BLOCK;
4585 stat = L2CAP_CS_NO_INFO;
4588 rsp.scid = cpu_to_le16(chan->dcid);
4589 rsp.dcid = cpu_to_le16(chan->scid);
4590 rsp.result = cpu_to_le16(res);
4591 rsp.status = cpu_to_le16(stat);
4592 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4604 int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4606 struct l2cap_conn *conn = hcon->l2cap_data;
4609 conn = l2cap_conn_add(hcon, 0);
4614 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4616 if (!(flags & ACL_CONT)) {
4617 struct l2cap_hdr *hdr;
4618 struct l2cap_chan *chan;
4623 BT_ERR("Unexpected start frame (len %d)", skb->len);
4624 kfree_skb(conn->rx_skb);
4625 conn->rx_skb = NULL;
4627 l2cap_conn_unreliable(conn, ECOMM);
4630 /* Start fragment always begin with Basic L2CAP header */
4631 if (skb->len < L2CAP_HDR_SIZE) {
4632 BT_ERR("Frame is too short (len %d)", skb->len);
4633 l2cap_conn_unreliable(conn, ECOMM);
4637 hdr = (struct l2cap_hdr *) skb->data;
4638 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4639 cid = __le16_to_cpu(hdr->cid);
4641 if (len == skb->len) {
4642 /* Complete frame received */
4643 l2cap_recv_frame(conn, skb);
4647 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4649 if (skb->len > len) {
4650 BT_ERR("Frame is too long (len %d, expected len %d)",
4652 l2cap_conn_unreliable(conn, ECOMM);
4656 chan = l2cap_get_chan_by_scid(conn, cid);
4658 if (chan && chan->sk) {
4659 struct sock *sk = chan->sk;
4661 if (chan->imtu < len - L2CAP_HDR_SIZE) {
4662 BT_ERR("Frame exceeding recv MTU (len %d, "
4666 l2cap_conn_unreliable(conn, ECOMM);
4672 /* Allocate skb for the complete frame (with header) */
4673 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4677 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4679 conn->rx_len = len - skb->len;
4681 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4683 if (!conn->rx_len) {
4684 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4685 l2cap_conn_unreliable(conn, ECOMM);
4689 if (skb->len > conn->rx_len) {
4690 BT_ERR("Fragment is too long (len %d, expected %d)",
4691 skb->len, conn->rx_len);
4692 kfree_skb(conn->rx_skb);
4693 conn->rx_skb = NULL;
4695 l2cap_conn_unreliable(conn, ECOMM);
4699 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4701 conn->rx_len -= skb->len;
4703 if (!conn->rx_len) {
4704 /* Complete frame received */
4705 l2cap_recv_frame(conn, conn->rx_skb);
4706 conn->rx_skb = NULL;
4715 static int l2cap_debugfs_show(struct seq_file *f, void *p)
4717 struct l2cap_chan *c;
4719 read_lock(&chan_list_lock);
4721 list_for_each_entry(c, &chan_list, global_l) {
4722 struct sock *sk = c->sk;
4724 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
4725 batostr(&bt_sk(sk)->src),
4726 batostr(&bt_sk(sk)->dst),
4727 c->state, __le16_to_cpu(c->psm),
4728 c->scid, c->dcid, c->imtu, c->omtu,
4729 c->sec_level, c->mode);
4732 read_unlock(&chan_list_lock);
4737 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4739 return single_open(file, l2cap_debugfs_show, inode->i_private);
4742 static const struct file_operations l2cap_debugfs_fops = {
4743 .open = l2cap_debugfs_open,
4745 .llseek = seq_lseek,
4746 .release = single_release,
4749 static struct dentry *l2cap_debugfs;
4751 int __init l2cap_init(void)
4755 err = l2cap_init_sockets();
4760 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4761 bt_debugfs, NULL, &l2cap_debugfs_fops);
4763 BT_ERR("Failed to create L2CAP debug file");
4769 void l2cap_exit(void)
4771 debugfs_remove(l2cap_debugfs);
4772 l2cap_cleanup_sockets();
4775 module_param(disable_ertm, bool, 0644);
4776 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
projects / linux-flexiantxendom0-3.2.10.git / blob