2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
28 /* Bluetooth L2CAP core. */
30 #include <linux/module.h>
32 #include <linux/types.h>
33 #include <linux/capability.h>
34 #include <linux/errno.h>
35 #include <linux/kernel.h>
36 #include <linux/sched.h>
37 #include <linux/slab.h>
38 #include <linux/poll.h>
39 #include <linux/fcntl.h>
40 #include <linux/init.h>
41 #include <linux/interrupt.h>
42 #include <linux/socket.h>
43 #include <linux/skbuff.h>
44 #include <linux/list.h>
45 #include <linux/device.h>
46 #include <linux/debugfs.h>
47 #include <linux/seq_file.h>
48 #include <linux/uaccess.h>
49 #include <linux/crc16.h>
52 #include <asm/system.h>
53 #include <asm/unaligned.h>
55 #include <net/bluetooth/bluetooth.h>
56 #include <net/bluetooth/hci_core.h>
57 #include <net/bluetooth/l2cap.h>
58 #include <net/bluetooth/smp.h>
62 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
63 static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
65 static LIST_HEAD(chan_list);
66 static DEFINE_RWLOCK(chan_list_lock);
68 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
70 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
72 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
73 static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
76 static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
78 /* ---- L2CAP channels ---- */
80 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
82 struct l2cap_chan *c, *r = NULL;
86 list_for_each_entry_rcu(c, &conn->chan_l, list) {
97 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
99 struct l2cap_chan *c, *r = NULL;
103 list_for_each_entry_rcu(c, &conn->chan_l, list) {
104 if (c->scid == cid) {
114 /* Find channel with given SCID.
115 * Returns locked socket */
116 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
118 struct l2cap_chan *c;
120 c = __l2cap_get_chan_by_scid(conn, cid);
126 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
128 struct l2cap_chan *c, *r = NULL;
132 list_for_each_entry_rcu(c, &conn->chan_l, list) {
133 if (c->ident == ident) {
143 static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
145 struct l2cap_chan *c;
147 c = __l2cap_get_chan_by_ident(conn, ident);
153 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
155 struct l2cap_chan *c;
157 list_for_each_entry(c, &chan_list, global_l) {
158 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
164 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
168 write_lock_bh(&chan_list_lock);
170 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
183 for (p = 0x1001; p < 0x1100; p += 2)
184 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
185 chan->psm = cpu_to_le16(p);
186 chan->sport = cpu_to_le16(p);
193 write_unlock_bh(&chan_list_lock);
197 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
199 write_lock_bh(&chan_list_lock);
203 write_unlock_bh(&chan_list_lock);
208 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
210 u16 cid = L2CAP_CID_DYN_START;
212 for (; cid < L2CAP_CID_DYN_END; cid++) {
213 if (!__l2cap_get_chan_by_scid(conn, cid))
220 static char *state_to_string(int state)
224 return "BT_CONNECTED";
234 return "BT_CONNECT2";
243 return "invalid state";
246 static void l2cap_state_change(struct l2cap_chan *chan, int state)
248 BT_DBG("%p %s -> %s", chan, state_to_string(chan->state),
249 state_to_string(state));
252 chan->ops->state_change(chan->data, state);
255 static void l2cap_chan_timeout(struct work_struct *work)
257 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
259 struct sock *sk = chan->sk;
262 BT_DBG("chan %p state %d", chan, chan->state);
266 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
267 reason = ECONNREFUSED;
268 else if (chan->state == BT_CONNECT &&
269 chan->sec_level != BT_SECURITY_SDP)
270 reason = ECONNREFUSED;
274 l2cap_chan_close(chan, reason);
278 chan->ops->close(chan->data);
279 l2cap_chan_put(chan);
282 struct l2cap_chan *l2cap_chan_create(struct sock *sk)
284 struct l2cap_chan *chan;
286 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
292 write_lock_bh(&chan_list_lock);
293 list_add(&chan->global_l, &chan_list);
294 write_unlock_bh(&chan_list_lock);
296 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
298 chan->state = BT_OPEN;
300 atomic_set(&chan->refcnt, 1);
302 BT_DBG("sk %p chan %p", sk, chan);
307 void l2cap_chan_destroy(struct l2cap_chan *chan)
309 write_lock_bh(&chan_list_lock);
310 list_del(&chan->global_l);
311 write_unlock_bh(&chan_list_lock);
313 l2cap_chan_put(chan);
316 static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
318 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
319 chan->psm, chan->dcid);
321 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
325 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
326 if (conn->hcon->type == LE_LINK) {
328 chan->omtu = L2CAP_LE_DEFAULT_MTU;
329 chan->scid = L2CAP_CID_LE_DATA;
330 chan->dcid = L2CAP_CID_LE_DATA;
332 /* Alloc CID for connection-oriented socket */
333 chan->scid = l2cap_alloc_cid(conn);
334 chan->omtu = L2CAP_DEFAULT_MTU;
336 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
337 /* Connectionless socket */
338 chan->scid = L2CAP_CID_CONN_LESS;
339 chan->dcid = L2CAP_CID_CONN_LESS;
340 chan->omtu = L2CAP_DEFAULT_MTU;
342 /* Raw socket can send/recv signalling messages only */
343 chan->scid = L2CAP_CID_SIGNALING;
344 chan->dcid = L2CAP_CID_SIGNALING;
345 chan->omtu = L2CAP_DEFAULT_MTU;
348 chan->local_id = L2CAP_BESTEFFORT_ID;
349 chan->local_stype = L2CAP_SERV_BESTEFFORT;
350 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
351 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
352 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
353 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
355 l2cap_chan_hold(chan);
357 list_add_rcu(&chan->list, &conn->chan_l);
361 * Must be called on the locked socket. */
362 static void l2cap_chan_del(struct l2cap_chan *chan, int err)
364 struct sock *sk = chan->sk;
365 struct l2cap_conn *conn = chan->conn;
366 struct sock *parent = bt_sk(sk)->parent;
368 __clear_chan_timer(chan);
370 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
373 /* Delete from channel list */
374 list_del_rcu(&chan->list);
377 l2cap_chan_put(chan);
380 hci_conn_put(conn->hcon);
383 l2cap_state_change(chan, BT_CLOSED);
384 sock_set_flag(sk, SOCK_ZAPPED);
390 bt_accept_unlink(sk);
391 parent->sk_data_ready(parent, 0);
393 sk->sk_state_change(sk);
395 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
396 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
399 skb_queue_purge(&chan->tx_q);
401 if (chan->mode == L2CAP_MODE_ERTM) {
402 struct srej_list *l, *tmp;
404 __clear_retrans_timer(chan);
405 __clear_monitor_timer(chan);
406 __clear_ack_timer(chan);
408 skb_queue_purge(&chan->srej_q);
410 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
417 static void l2cap_chan_cleanup_listen(struct sock *parent)
421 BT_DBG("parent %p", parent);
423 /* Close not yet accepted channels */
424 while ((sk = bt_accept_dequeue(parent, NULL))) {
425 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
426 __clear_chan_timer(chan);
428 l2cap_chan_close(chan, ECONNRESET);
430 chan->ops->close(chan->data);
434 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
436 struct l2cap_conn *conn = chan->conn;
437 struct sock *sk = chan->sk;
439 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
441 switch (chan->state) {
443 l2cap_chan_cleanup_listen(sk);
445 l2cap_state_change(chan, BT_CLOSED);
446 sock_set_flag(sk, SOCK_ZAPPED);
451 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
452 conn->hcon->type == ACL_LINK) {
453 __clear_chan_timer(chan);
454 __set_chan_timer(chan, sk->sk_sndtimeo);
455 l2cap_send_disconn_req(conn, chan, reason);
457 l2cap_chan_del(chan, reason);
461 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
462 conn->hcon->type == ACL_LINK) {
463 struct l2cap_conn_rsp rsp;
466 if (bt_sk(sk)->defer_setup)
467 result = L2CAP_CR_SEC_BLOCK;
469 result = L2CAP_CR_BAD_PSM;
470 l2cap_state_change(chan, BT_DISCONN);
472 rsp.scid = cpu_to_le16(chan->dcid);
473 rsp.dcid = cpu_to_le16(chan->scid);
474 rsp.result = cpu_to_le16(result);
475 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
476 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
480 l2cap_chan_del(chan, reason);
485 l2cap_chan_del(chan, reason);
489 sock_set_flag(sk, SOCK_ZAPPED);
494 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
496 if (chan->chan_type == L2CAP_CHAN_RAW) {
497 switch (chan->sec_level) {
498 case BT_SECURITY_HIGH:
499 return HCI_AT_DEDICATED_BONDING_MITM;
500 case BT_SECURITY_MEDIUM:
501 return HCI_AT_DEDICATED_BONDING;
503 return HCI_AT_NO_BONDING;
505 } else if (chan->psm == cpu_to_le16(0x0001)) {
506 if (chan->sec_level == BT_SECURITY_LOW)
507 chan->sec_level = BT_SECURITY_SDP;
509 if (chan->sec_level == BT_SECURITY_HIGH)
510 return HCI_AT_NO_BONDING_MITM;
512 return HCI_AT_NO_BONDING;
514 switch (chan->sec_level) {
515 case BT_SECURITY_HIGH:
516 return HCI_AT_GENERAL_BONDING_MITM;
517 case BT_SECURITY_MEDIUM:
518 return HCI_AT_GENERAL_BONDING;
520 return HCI_AT_NO_BONDING;
525 /* Service level security */
526 int l2cap_chan_check_security(struct l2cap_chan *chan)
528 struct l2cap_conn *conn = chan->conn;
531 auth_type = l2cap_get_auth_type(chan);
533 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
536 static u8 l2cap_get_ident(struct l2cap_conn *conn)
540 /* Get next available identificator.
541 * 1 - 128 are used by kernel.
542 * 129 - 199 are reserved.
543 * 200 - 254 are used by utilities like l2ping, etc.
546 spin_lock_bh(&conn->lock);
548 if (++conn->tx_ident > 128)
553 spin_unlock_bh(&conn->lock);
558 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
560 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
563 BT_DBG("code 0x%2.2x", code);
568 if (lmp_no_flush_capable(conn->hcon->hdev))
569 flags = ACL_START_NO_FLUSH;
573 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
574 skb->priority = HCI_PRIO_MAX;
576 hci_send_acl(conn->hchan, skb, flags);
579 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
581 struct hci_conn *hcon = chan->conn->hcon;
584 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
587 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
588 lmp_no_flush_capable(hcon->hdev))
589 flags = ACL_START_NO_FLUSH;
593 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
594 hci_send_acl(chan->conn->hchan, skb, flags);
597 static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
600 struct l2cap_hdr *lh;
601 struct l2cap_conn *conn = chan->conn;
604 if (chan->state != BT_CONNECTED)
607 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
608 hlen = L2CAP_EXT_HDR_SIZE;
610 hlen = L2CAP_ENH_HDR_SIZE;
612 if (chan->fcs == L2CAP_FCS_CRC16)
613 hlen += L2CAP_FCS_SIZE;
615 BT_DBG("chan %p, control 0x%8.8x", chan, control);
617 count = min_t(unsigned int, conn->mtu, hlen);
619 control |= __set_sframe(chan);
621 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
622 control |= __set_ctrl_final(chan);
624 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
625 control |= __set_ctrl_poll(chan);
627 skb = bt_skb_alloc(count, GFP_ATOMIC);
631 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
632 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
633 lh->cid = cpu_to_le16(chan->dcid);
635 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
637 if (chan->fcs == L2CAP_FCS_CRC16) {
638 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
639 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
642 skb->priority = HCI_PRIO_MAX;
643 l2cap_do_send(chan, skb);
646 static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
648 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
649 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
650 set_bit(CONN_RNR_SENT, &chan->conn_state);
652 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
654 control |= __set_reqseq(chan, chan->buffer_seq);
656 l2cap_send_sframe(chan, control);
659 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
661 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
664 static void l2cap_do_start(struct l2cap_chan *chan)
666 struct l2cap_conn *conn = chan->conn;
668 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
669 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
672 if (l2cap_chan_check_security(chan) &&
673 __l2cap_no_conn_pending(chan)) {
674 struct l2cap_conn_req req;
675 req.scid = cpu_to_le16(chan->scid);
678 chan->ident = l2cap_get_ident(conn);
679 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
681 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
685 struct l2cap_info_req req;
686 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
688 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
689 conn->info_ident = l2cap_get_ident(conn);
691 schedule_delayed_work(&conn->info_timer,
692 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
694 l2cap_send_cmd(conn, conn->info_ident,
695 L2CAP_INFO_REQ, sizeof(req), &req);
699 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
701 u32 local_feat_mask = l2cap_feat_mask;
703 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
706 case L2CAP_MODE_ERTM:
707 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
708 case L2CAP_MODE_STREAMING:
709 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
715 static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
718 struct l2cap_disconn_req req;
725 if (chan->mode == L2CAP_MODE_ERTM) {
726 __clear_retrans_timer(chan);
727 __clear_monitor_timer(chan);
728 __clear_ack_timer(chan);
731 req.dcid = cpu_to_le16(chan->dcid);
732 req.scid = cpu_to_le16(chan->scid);
733 l2cap_send_cmd(conn, l2cap_get_ident(conn),
734 L2CAP_DISCONN_REQ, sizeof(req), &req);
736 l2cap_state_change(chan, BT_DISCONN);
740 /* ---- L2CAP connections ---- */
741 static void l2cap_conn_start(struct l2cap_conn *conn)
743 struct l2cap_chan *chan;
745 BT_DBG("conn %p", conn);
749 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
750 struct sock *sk = chan->sk;
754 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
759 if (chan->state == BT_CONNECT) {
760 struct l2cap_conn_req req;
762 if (!l2cap_chan_check_security(chan) ||
763 !__l2cap_no_conn_pending(chan)) {
768 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
769 && test_bit(CONF_STATE2_DEVICE,
770 &chan->conf_state)) {
771 /* l2cap_chan_close() calls list_del(chan)
772 * so release the lock */
773 l2cap_chan_close(chan, ECONNRESET);
778 req.scid = cpu_to_le16(chan->scid);
781 chan->ident = l2cap_get_ident(conn);
782 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
784 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
787 } else if (chan->state == BT_CONNECT2) {
788 struct l2cap_conn_rsp rsp;
790 rsp.scid = cpu_to_le16(chan->dcid);
791 rsp.dcid = cpu_to_le16(chan->scid);
793 if (l2cap_chan_check_security(chan)) {
794 if (bt_sk(sk)->defer_setup) {
795 struct sock *parent = bt_sk(sk)->parent;
796 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
797 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
799 parent->sk_data_ready(parent, 0);
802 l2cap_state_change(chan, BT_CONFIG);
803 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
804 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
807 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
808 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
811 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
814 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
815 rsp.result != L2CAP_CR_SUCCESS) {
820 set_bit(CONF_REQ_SENT, &chan->conf_state);
821 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
822 l2cap_build_conf_req(chan, buf), buf);
823 chan->num_conf_req++;
832 /* Find socket with cid and source bdaddr.
833 * Returns closest match, locked.
835 static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
837 struct l2cap_chan *c, *c1 = NULL;
839 read_lock(&chan_list_lock);
841 list_for_each_entry(c, &chan_list, global_l) {
842 struct sock *sk = c->sk;
844 if (state && c->state != state)
847 if (c->scid == cid) {
849 if (!bacmp(&bt_sk(sk)->src, src)) {
850 read_unlock(&chan_list_lock);
855 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
860 read_unlock(&chan_list_lock);
865 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
867 struct sock *parent, *sk;
868 struct l2cap_chan *chan, *pchan;
872 /* Check if we have socket listening on cid */
873 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
882 /* Check for backlog size */
883 if (sk_acceptq_is_full(parent)) {
884 BT_DBG("backlog full %d", parent->sk_ack_backlog);
888 chan = pchan->ops->new_connection(pchan->data);
894 hci_conn_hold(conn->hcon);
896 bacpy(&bt_sk(sk)->src, conn->src);
897 bacpy(&bt_sk(sk)->dst, conn->dst);
899 bt_accept_enqueue(parent, sk);
901 l2cap_chan_add(conn, chan);
903 __set_chan_timer(chan, sk->sk_sndtimeo);
905 l2cap_state_change(chan, BT_CONNECTED);
906 parent->sk_data_ready(parent, 0);
909 release_sock(parent);
912 static void l2cap_chan_ready(struct sock *sk)
914 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
915 struct sock *parent = bt_sk(sk)->parent;
917 BT_DBG("sk %p, parent %p", sk, parent);
919 chan->conf_state = 0;
920 __clear_chan_timer(chan);
922 l2cap_state_change(chan, BT_CONNECTED);
923 sk->sk_state_change(sk);
926 parent->sk_data_ready(parent, 0);
929 static void l2cap_conn_ready(struct l2cap_conn *conn)
931 struct l2cap_chan *chan;
933 BT_DBG("conn %p", conn);
935 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
936 l2cap_le_conn_ready(conn);
938 if (conn->hcon->out && conn->hcon->type == LE_LINK)
939 smp_conn_security(conn, conn->hcon->pending_sec_level);
943 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
944 struct sock *sk = chan->sk;
948 if (conn->hcon->type == LE_LINK) {
949 if (smp_conn_security(conn, chan->sec_level))
950 l2cap_chan_ready(sk);
952 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
953 __clear_chan_timer(chan);
954 l2cap_state_change(chan, BT_CONNECTED);
955 sk->sk_state_change(sk);
957 } else if (chan->state == BT_CONNECT)
958 l2cap_do_start(chan);
966 /* Notify sockets that we cannot guaranty reliability anymore */
967 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
969 struct l2cap_chan *chan;
971 BT_DBG("conn %p", conn);
975 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
976 struct sock *sk = chan->sk;
978 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
985 static void l2cap_info_timeout(struct work_struct *work)
987 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
990 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
991 conn->info_ident = 0;
993 l2cap_conn_start(conn);
996 static void l2cap_conn_del(struct hci_conn *hcon, int err)
998 struct l2cap_conn *conn = hcon->l2cap_data;
999 struct l2cap_chan *chan, *l;
1005 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1007 kfree_skb(conn->rx_skb);
1010 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1013 l2cap_chan_del(chan, err);
1015 chan->ops->close(chan->data);
1018 hci_chan_del(conn->hchan);
1020 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1021 __cancel_delayed_work(&conn->info_timer);
1023 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
1024 __cancel_delayed_work(&conn->security_timer);
1025 smp_chan_destroy(conn);
1028 hcon->l2cap_data = NULL;
1032 static void security_timeout(struct work_struct *work)
1034 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1035 security_timer.work);
1037 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1040 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1042 struct l2cap_conn *conn = hcon->l2cap_data;
1043 struct hci_chan *hchan;
1048 hchan = hci_chan_create(hcon);
1052 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1054 hci_chan_del(hchan);
1058 hcon->l2cap_data = conn;
1060 conn->hchan = hchan;
1062 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
1064 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1065 conn->mtu = hcon->hdev->le_mtu;
1067 conn->mtu = hcon->hdev->acl_mtu;
1069 conn->src = &hcon->hdev->bdaddr;
1070 conn->dst = &hcon->dst;
1072 conn->feat_mask = 0;
1074 spin_lock_init(&conn->lock);
1076 INIT_LIST_HEAD(&conn->chan_l);
1078 if (hcon->type == LE_LINK)
1079 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1081 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
1083 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1088 /* ---- Socket interface ---- */
1090 /* Find socket with psm and source bdaddr.
1091 * Returns closest match.
1093 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1095 struct l2cap_chan *c, *c1 = NULL;
1097 read_lock(&chan_list_lock);
1099 list_for_each_entry(c, &chan_list, global_l) {
1100 struct sock *sk = c->sk;
1102 if (state && c->state != state)
1105 if (c->psm == psm) {
1107 if (!bacmp(&bt_sk(sk)->src, src)) {
1108 read_unlock(&chan_list_lock);
1113 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
1118 read_unlock(&chan_list_lock);
1123 inline int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, bdaddr_t *dst)
1125 struct sock *sk = chan->sk;
1126 bdaddr_t *src = &bt_sk(sk)->src;
1127 struct l2cap_conn *conn;
1128 struct hci_conn *hcon;
1129 struct hci_dev *hdev;
1133 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
1136 hdev = hci_get_route(dst, src);
1138 return -EHOSTUNREACH;
1144 /* PSM must be odd and lsb of upper byte must be 0 */
1145 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1146 chan->chan_type != L2CAP_CHAN_RAW) {
1151 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1156 switch (chan->mode) {
1157 case L2CAP_MODE_BASIC:
1159 case L2CAP_MODE_ERTM:
1160 case L2CAP_MODE_STREAMING:
1169 switch (sk->sk_state) {
1173 /* Already connecting */
1178 /* Already connected */
1192 /* Set destination address and psm */
1193 bacpy(&bt_sk(sk)->dst, src);
1197 auth_type = l2cap_get_auth_type(chan);
1199 if (chan->dcid == L2CAP_CID_LE_DATA)
1200 hcon = hci_connect(hdev, LE_LINK, dst,
1201 chan->sec_level, auth_type);
1203 hcon = hci_connect(hdev, ACL_LINK, dst,
1204 chan->sec_level, auth_type);
1207 err = PTR_ERR(hcon);
1211 conn = l2cap_conn_add(hcon, 0);
1218 /* Update source addr of the socket */
1219 bacpy(src, conn->src);
1221 l2cap_chan_add(conn, chan);
1223 l2cap_state_change(chan, BT_CONNECT);
1224 __set_chan_timer(chan, sk->sk_sndtimeo);
1226 if (hcon->state == BT_CONNECTED) {
1227 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1228 __clear_chan_timer(chan);
1229 if (l2cap_chan_check_security(chan))
1230 l2cap_state_change(chan, BT_CONNECTED);
1232 l2cap_do_start(chan);
1238 hci_dev_unlock(hdev);
1243 int __l2cap_wait_ack(struct sock *sk)
1245 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1246 DECLARE_WAITQUEUE(wait, current);
1250 add_wait_queue(sk_sleep(sk), &wait);
1251 set_current_state(TASK_INTERRUPTIBLE);
1252 while (chan->unacked_frames > 0 && chan->conn) {
1256 if (signal_pending(current)) {
1257 err = sock_intr_errno(timeo);
1262 timeo = schedule_timeout(timeo);
1264 set_current_state(TASK_INTERRUPTIBLE);
1266 err = sock_error(sk);
1270 set_current_state(TASK_RUNNING);
1271 remove_wait_queue(sk_sleep(sk), &wait);
1275 static void l2cap_monitor_timeout(struct work_struct *work)
1277 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1278 monitor_timer.work);
1279 struct sock *sk = chan->sk;
1281 BT_DBG("chan %p", chan);
1284 if (chan->retry_count >= chan->remote_max_tx) {
1285 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1290 chan->retry_count++;
1291 __set_monitor_timer(chan);
1293 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1297 static void l2cap_retrans_timeout(struct work_struct *work)
1299 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1300 retrans_timer.work);
1301 struct sock *sk = chan->sk;
1303 BT_DBG("chan %p", chan);
1306 chan->retry_count = 1;
1307 __set_monitor_timer(chan);
1309 set_bit(CONN_WAIT_F, &chan->conn_state);
1311 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1315 static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1317 struct sk_buff *skb;
1319 while ((skb = skb_peek(&chan->tx_q)) &&
1320 chan->unacked_frames) {
1321 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1324 skb = skb_dequeue(&chan->tx_q);
1327 chan->unacked_frames--;
1330 if (!chan->unacked_frames)
1331 __clear_retrans_timer(chan);
1334 static void l2cap_streaming_send(struct l2cap_chan *chan)
1336 struct sk_buff *skb;
1340 while ((skb = skb_dequeue(&chan->tx_q))) {
1341 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
1342 control |= __set_txseq(chan, chan->next_tx_seq);
1343 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
1345 if (chan->fcs == L2CAP_FCS_CRC16) {
1346 fcs = crc16(0, (u8 *)skb->data,
1347 skb->len - L2CAP_FCS_SIZE);
1348 put_unaligned_le16(fcs,
1349 skb->data + skb->len - L2CAP_FCS_SIZE);
1352 l2cap_do_send(chan, skb);
1354 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1358 static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
1360 struct sk_buff *skb, *tx_skb;
1364 skb = skb_peek(&chan->tx_q);
1368 while (bt_cb(skb)->tx_seq != tx_seq) {
1369 if (skb_queue_is_last(&chan->tx_q, skb))
1372 skb = skb_queue_next(&chan->tx_q, skb);
1375 if (chan->remote_max_tx &&
1376 bt_cb(skb)->retries == chan->remote_max_tx) {
1377 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1381 tx_skb = skb_clone(skb, GFP_ATOMIC);
1382 bt_cb(skb)->retries++;
1384 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1385 control &= __get_sar_mask(chan);
1387 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1388 control |= __set_ctrl_final(chan);
1390 control |= __set_reqseq(chan, chan->buffer_seq);
1391 control |= __set_txseq(chan, tx_seq);
1393 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1395 if (chan->fcs == L2CAP_FCS_CRC16) {
1396 fcs = crc16(0, (u8 *)tx_skb->data,
1397 tx_skb->len - L2CAP_FCS_SIZE);
1398 put_unaligned_le16(fcs,
1399 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
1402 l2cap_do_send(chan, tx_skb);
1405 static int l2cap_ertm_send(struct l2cap_chan *chan)
1407 struct sk_buff *skb, *tx_skb;
1412 if (chan->state != BT_CONNECTED)
1415 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1417 if (chan->remote_max_tx &&
1418 bt_cb(skb)->retries == chan->remote_max_tx) {
1419 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1423 tx_skb = skb_clone(skb, GFP_ATOMIC);
1425 bt_cb(skb)->retries++;
1427 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1428 control &= __get_sar_mask(chan);
1430 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1431 control |= __set_ctrl_final(chan);
1433 control |= __set_reqseq(chan, chan->buffer_seq);
1434 control |= __set_txseq(chan, chan->next_tx_seq);
1436 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1438 if (chan->fcs == L2CAP_FCS_CRC16) {
1439 fcs = crc16(0, (u8 *)skb->data,
1440 tx_skb->len - L2CAP_FCS_SIZE);
1441 put_unaligned_le16(fcs, skb->data +
1442 tx_skb->len - L2CAP_FCS_SIZE);
1445 l2cap_do_send(chan, tx_skb);
1447 __set_retrans_timer(chan);
1449 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1451 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1453 if (bt_cb(skb)->retries == 1)
1454 chan->unacked_frames++;
1456 chan->frames_sent++;
1458 if (skb_queue_is_last(&chan->tx_q, skb))
1459 chan->tx_send_head = NULL;
1461 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1469 static int l2cap_retransmit_frames(struct l2cap_chan *chan)
1473 if (!skb_queue_empty(&chan->tx_q))
1474 chan->tx_send_head = chan->tx_q.next;
1476 chan->next_tx_seq = chan->expected_ack_seq;
1477 ret = l2cap_ertm_send(chan);
1481 static void l2cap_send_ack(struct l2cap_chan *chan)
1485 control |= __set_reqseq(chan, chan->buffer_seq);
1487 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
1488 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
1489 set_bit(CONN_RNR_SENT, &chan->conn_state);
1490 l2cap_send_sframe(chan, control);
1494 if (l2cap_ertm_send(chan) > 0)
1497 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
1498 l2cap_send_sframe(chan, control);
1501 static void l2cap_send_srejtail(struct l2cap_chan *chan)
1503 struct srej_list *tail;
1506 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
1507 control |= __set_ctrl_final(chan);
1509 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
1510 control |= __set_reqseq(chan, tail->tx_seq);
1512 l2cap_send_sframe(chan, control);
1515 static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1517 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1518 struct sk_buff **frag;
1521 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1527 /* Continuation fragments (no L2CAP header) */
1528 frag = &skb_shinfo(skb)->frag_list;
1530 count = min_t(unsigned int, conn->mtu, len);
1532 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1535 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1538 (*frag)->priority = skb->priority;
1543 frag = &(*frag)->next;
1549 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1550 struct msghdr *msg, size_t len,
1553 struct sock *sk = chan->sk;
1554 struct l2cap_conn *conn = chan->conn;
1555 struct sk_buff *skb;
1556 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1557 struct l2cap_hdr *lh;
1559 BT_DBG("sk %p len %d priority %u", sk, (int)len, priority);
1561 count = min_t(unsigned int, (conn->mtu - hlen), len);
1562 skb = bt_skb_send_alloc(sk, count + hlen,
1563 msg->msg_flags & MSG_DONTWAIT, &err);
1565 return ERR_PTR(err);
1567 skb->priority = priority;
1569 /* Create L2CAP header */
1570 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1571 lh->cid = cpu_to_le16(chan->dcid);
1572 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1573 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1575 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1576 if (unlikely(err < 0)) {
1578 return ERR_PTR(err);
1583 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1584 struct msghdr *msg, size_t len,
1587 struct sock *sk = chan->sk;
1588 struct l2cap_conn *conn = chan->conn;
1589 struct sk_buff *skb;
1590 int err, count, hlen = L2CAP_HDR_SIZE;
1591 struct l2cap_hdr *lh;
1593 BT_DBG("sk %p len %d", sk, (int)len);
1595 count = min_t(unsigned int, (conn->mtu - hlen), len);
1596 skb = bt_skb_send_alloc(sk, count + hlen,
1597 msg->msg_flags & MSG_DONTWAIT, &err);
1599 return ERR_PTR(err);
1601 skb->priority = priority;
1603 /* Create L2CAP header */
1604 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1605 lh->cid = cpu_to_le16(chan->dcid);
1606 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1608 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1609 if (unlikely(err < 0)) {
1611 return ERR_PTR(err);
1616 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1617 struct msghdr *msg, size_t len,
1618 u32 control, u16 sdulen)
1620 struct sock *sk = chan->sk;
1621 struct l2cap_conn *conn = chan->conn;
1622 struct sk_buff *skb;
1623 int err, count, hlen;
1624 struct l2cap_hdr *lh;
1626 BT_DBG("sk %p len %d", sk, (int)len);
1629 return ERR_PTR(-ENOTCONN);
1631 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1632 hlen = L2CAP_EXT_HDR_SIZE;
1634 hlen = L2CAP_ENH_HDR_SIZE;
1637 hlen += L2CAP_SDULEN_SIZE;
1639 if (chan->fcs == L2CAP_FCS_CRC16)
1640 hlen += L2CAP_FCS_SIZE;
1642 count = min_t(unsigned int, (conn->mtu - hlen), len);
1643 skb = bt_skb_send_alloc(sk, count + hlen,
1644 msg->msg_flags & MSG_DONTWAIT, &err);
1646 return ERR_PTR(err);
1648 /* Create L2CAP header */
1649 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1650 lh->cid = cpu_to_le16(chan->dcid);
1651 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1653 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1656 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1658 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1659 if (unlikely(err < 0)) {
1661 return ERR_PTR(err);
1664 if (chan->fcs == L2CAP_FCS_CRC16)
1665 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
1667 bt_cb(skb)->retries = 0;
1671 static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1673 struct sk_buff *skb;
1674 struct sk_buff_head sar_queue;
1678 skb_queue_head_init(&sar_queue);
1679 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
1680 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
1682 return PTR_ERR(skb);
1684 __skb_queue_tail(&sar_queue, skb);
1685 len -= chan->remote_mps;
1686 size += chan->remote_mps;
1691 if (len > chan->remote_mps) {
1692 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
1693 buflen = chan->remote_mps;
1695 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
1699 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
1701 skb_queue_purge(&sar_queue);
1702 return PTR_ERR(skb);
1705 __skb_queue_tail(&sar_queue, skb);
1709 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1710 if (chan->tx_send_head == NULL)
1711 chan->tx_send_head = sar_queue.next;
1716 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
1719 struct sk_buff *skb;
1723 /* Connectionless channel */
1724 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
1725 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
1727 return PTR_ERR(skb);
1729 l2cap_do_send(chan, skb);
1733 switch (chan->mode) {
1734 case L2CAP_MODE_BASIC:
1735 /* Check outgoing MTU */
1736 if (len > chan->omtu)
1739 /* Create a basic PDU */
1740 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
1742 return PTR_ERR(skb);
1744 l2cap_do_send(chan, skb);
1748 case L2CAP_MODE_ERTM:
1749 case L2CAP_MODE_STREAMING:
1750 /* Entire SDU fits into one PDU */
1751 if (len <= chan->remote_mps) {
1752 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
1753 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1756 return PTR_ERR(skb);
1758 __skb_queue_tail(&chan->tx_q, skb);
1760 if (chan->tx_send_head == NULL)
1761 chan->tx_send_head = skb;
1764 /* Segment SDU into multiples PDUs */
1765 err = l2cap_sar_segment_sdu(chan, msg, len);
1770 if (chan->mode == L2CAP_MODE_STREAMING) {
1771 l2cap_streaming_send(chan);
1776 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1777 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1782 err = l2cap_ertm_send(chan);
1789 BT_DBG("bad state %1.1x", chan->mode);
1796 /* Copy frame to all raw sockets on that connection */
1797 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1799 struct sk_buff *nskb;
1800 struct l2cap_chan *chan;
1802 BT_DBG("conn %p", conn);
1806 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
1807 struct sock *sk = chan->sk;
1808 if (chan->chan_type != L2CAP_CHAN_RAW)
1811 /* Don't send frame to the socket it came from */
1814 nskb = skb_clone(skb, GFP_ATOMIC);
1818 if (chan->ops->recv(chan->data, nskb))
1825 /* ---- L2CAP signalling commands ---- */
1826 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1827 u8 code, u8 ident, u16 dlen, void *data)
1829 struct sk_buff *skb, **frag;
1830 struct l2cap_cmd_hdr *cmd;
1831 struct l2cap_hdr *lh;
1834 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1835 conn, code, ident, dlen);
1837 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1838 count = min_t(unsigned int, conn->mtu, len);
1840 skb = bt_skb_alloc(count, GFP_ATOMIC);
1844 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1845 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1847 if (conn->hcon->type == LE_LINK)
1848 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1850 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1852 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1855 cmd->len = cpu_to_le16(dlen);
1858 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1859 memcpy(skb_put(skb, count), data, count);
1865 /* Continuation fragments (no L2CAP header) */
1866 frag = &skb_shinfo(skb)->frag_list;
1868 count = min_t(unsigned int, conn->mtu, len);
1870 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1874 memcpy(skb_put(*frag, count), data, count);
1879 frag = &(*frag)->next;
1889 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1891 struct l2cap_conf_opt *opt = *ptr;
1894 len = L2CAP_CONF_OPT_SIZE + opt->len;
1902 *val = *((u8 *) opt->val);
1906 *val = get_unaligned_le16(opt->val);
1910 *val = get_unaligned_le32(opt->val);
1914 *val = (unsigned long) opt->val;
1918 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1922 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1924 struct l2cap_conf_opt *opt = *ptr;
1926 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1933 *((u8 *) opt->val) = val;
1937 put_unaligned_le16(val, opt->val);
1941 put_unaligned_le32(val, opt->val);
1945 memcpy(opt->val, (void *) val, len);
1949 *ptr += L2CAP_CONF_OPT_SIZE + len;
1952 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1954 struct l2cap_conf_efs efs;
1956 switch (chan->mode) {
1957 case L2CAP_MODE_ERTM:
1958 efs.id = chan->local_id;
1959 efs.stype = chan->local_stype;
1960 efs.msdu = cpu_to_le16(chan->local_msdu);
1961 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1962 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
1963 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
1966 case L2CAP_MODE_STREAMING:
1968 efs.stype = L2CAP_SERV_BESTEFFORT;
1969 efs.msdu = cpu_to_le16(chan->local_msdu);
1970 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
1979 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
1980 (unsigned long) &efs);
1983 static void l2cap_ack_timeout(struct work_struct *work)
1985 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1988 lock_sock(chan->sk);
1989 l2cap_send_ack(chan);
1990 release_sock(chan->sk);
1993 static inline void l2cap_ertm_init(struct l2cap_chan *chan)
1995 chan->expected_ack_seq = 0;
1996 chan->unacked_frames = 0;
1997 chan->buffer_seq = 0;
1998 chan->num_acked = 0;
1999 chan->frames_sent = 0;
2001 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2002 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2003 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
2005 skb_queue_head_init(&chan->srej_q);
2007 INIT_LIST_HEAD(&chan->srej_l);
2010 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2013 case L2CAP_MODE_STREAMING:
2014 case L2CAP_MODE_ERTM:
2015 if (l2cap_mode_supported(mode, remote_feat_mask))
2019 return L2CAP_MODE_BASIC;
2023 static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2025 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2028 static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2030 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2033 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2035 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2036 __l2cap_ews_supported(chan)) {
2037 /* use extended control field */
2038 set_bit(FLAG_EXT_CTRL, &chan->flags);
2039 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2041 chan->tx_win = min_t(u16, chan->tx_win,
2042 L2CAP_DEFAULT_TX_WINDOW);
2043 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2047 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
2049 struct l2cap_conf_req *req = data;
2050 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
2051 void *ptr = req->data;
2054 BT_DBG("chan %p", chan);
2056 if (chan->num_conf_req || chan->num_conf_rsp)
2059 switch (chan->mode) {
2060 case L2CAP_MODE_STREAMING:
2061 case L2CAP_MODE_ERTM:
2062 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
2065 if (__l2cap_efs_supported(chan))
2066 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2070 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
2075 if (chan->imtu != L2CAP_DEFAULT_MTU)
2076 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2078 switch (chan->mode) {
2079 case L2CAP_MODE_BASIC:
2080 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2081 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
2084 rfc.mode = L2CAP_MODE_BASIC;
2086 rfc.max_transmit = 0;
2087 rfc.retrans_timeout = 0;
2088 rfc.monitor_timeout = 0;
2089 rfc.max_pdu_size = 0;
2091 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2092 (unsigned long) &rfc);
2095 case L2CAP_MODE_ERTM:
2096 rfc.mode = L2CAP_MODE_ERTM;
2097 rfc.max_transmit = chan->max_tx;
2098 rfc.retrans_timeout = 0;
2099 rfc.monitor_timeout = 0;
2101 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2102 L2CAP_EXT_HDR_SIZE -
2105 rfc.max_pdu_size = cpu_to_le16(size);
2107 l2cap_txwin_setup(chan);
2109 rfc.txwin_size = min_t(u16, chan->tx_win,
2110 L2CAP_DEFAULT_TX_WINDOW);
2112 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2113 (unsigned long) &rfc);
2115 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2116 l2cap_add_opt_efs(&ptr, chan);
2118 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2121 if (chan->fcs == L2CAP_FCS_NONE ||
2122 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2123 chan->fcs = L2CAP_FCS_NONE;
2124 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2127 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2128 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2132 case L2CAP_MODE_STREAMING:
2133 rfc.mode = L2CAP_MODE_STREAMING;
2135 rfc.max_transmit = 0;
2136 rfc.retrans_timeout = 0;
2137 rfc.monitor_timeout = 0;
2139 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2140 L2CAP_EXT_HDR_SIZE -
2143 rfc.max_pdu_size = cpu_to_le16(size);
2145 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2146 (unsigned long) &rfc);
2148 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2149 l2cap_add_opt_efs(&ptr, chan);
2151 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2154 if (chan->fcs == L2CAP_FCS_NONE ||
2155 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2156 chan->fcs = L2CAP_FCS_NONE;
2157 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2162 req->dcid = cpu_to_le16(chan->dcid);
2163 req->flags = cpu_to_le16(0);
2168 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
2170 struct l2cap_conf_rsp *rsp = data;
2171 void *ptr = rsp->data;
2172 void *req = chan->conf_req;
2173 int len = chan->conf_len;
2174 int type, hint, olen;
2176 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2177 struct l2cap_conf_efs efs;
2179 u16 mtu = L2CAP_DEFAULT_MTU;
2180 u16 result = L2CAP_CONF_SUCCESS;
2183 BT_DBG("chan %p", chan);
2185 while (len >= L2CAP_CONF_OPT_SIZE) {
2186 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
2188 hint = type & L2CAP_CONF_HINT;
2189 type &= L2CAP_CONF_MASK;
2192 case L2CAP_CONF_MTU:
2196 case L2CAP_CONF_FLUSH_TO:
2197 chan->flush_to = val;
2200 case L2CAP_CONF_QOS:
2203 case L2CAP_CONF_RFC:
2204 if (olen == sizeof(rfc))
2205 memcpy(&rfc, (void *) val, olen);
2208 case L2CAP_CONF_FCS:
2209 if (val == L2CAP_FCS_NONE)
2210 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
2213 case L2CAP_CONF_EFS:
2215 if (olen == sizeof(efs))
2216 memcpy(&efs, (void *) val, olen);
2219 case L2CAP_CONF_EWS:
2221 return -ECONNREFUSED;
2223 set_bit(FLAG_EXT_CTRL, &chan->flags);
2224 set_bit(CONF_EWS_RECV, &chan->conf_state);
2225 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2226 chan->remote_tx_win = val;
2233 result = L2CAP_CONF_UNKNOWN;
2234 *((u8 *) ptr++) = type;
2239 if (chan->num_conf_rsp || chan->num_conf_req > 1)
2242 switch (chan->mode) {
2243 case L2CAP_MODE_STREAMING:
2244 case L2CAP_MODE_ERTM:
2245 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
2246 chan->mode = l2cap_select_mode(rfc.mode,
2247 chan->conn->feat_mask);
2252 if (__l2cap_efs_supported(chan))
2253 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2255 return -ECONNREFUSED;
2258 if (chan->mode != rfc.mode)
2259 return -ECONNREFUSED;
2265 if (chan->mode != rfc.mode) {
2266 result = L2CAP_CONF_UNACCEPT;
2267 rfc.mode = chan->mode;
2269 if (chan->num_conf_rsp == 1)
2270 return -ECONNREFUSED;
2272 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2273 sizeof(rfc), (unsigned long) &rfc);
2276 if (result == L2CAP_CONF_SUCCESS) {
2277 /* Configure output options and let the other side know
2278 * which ones we don't like. */
2280 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2281 result = L2CAP_CONF_UNACCEPT;
2284 set_bit(CONF_MTU_DONE, &chan->conf_state);
2286 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
2289 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2290 efs.stype != L2CAP_SERV_NOTRAFIC &&
2291 efs.stype != chan->local_stype) {
2293 result = L2CAP_CONF_UNACCEPT;
2295 if (chan->num_conf_req >= 1)
2296 return -ECONNREFUSED;
2298 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2300 (unsigned long) &efs);
2302 /* Send PENDING Conf Rsp */
2303 result = L2CAP_CONF_PENDING;
2304 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2309 case L2CAP_MODE_BASIC:
2310 chan->fcs = L2CAP_FCS_NONE;
2311 set_bit(CONF_MODE_DONE, &chan->conf_state);
2314 case L2CAP_MODE_ERTM:
2315 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2316 chan->remote_tx_win = rfc.txwin_size;
2318 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2320 chan->remote_max_tx = rfc.max_transmit;
2322 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2324 L2CAP_EXT_HDR_SIZE -
2327 rfc.max_pdu_size = cpu_to_le16(size);
2328 chan->remote_mps = size;
2330 rfc.retrans_timeout =
2331 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2332 rfc.monitor_timeout =
2333 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
2335 set_bit(CONF_MODE_DONE, &chan->conf_state);
2337 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2338 sizeof(rfc), (unsigned long) &rfc);
2340 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2341 chan->remote_id = efs.id;
2342 chan->remote_stype = efs.stype;
2343 chan->remote_msdu = le16_to_cpu(efs.msdu);
2344 chan->remote_flush_to =
2345 le32_to_cpu(efs.flush_to);
2346 chan->remote_acc_lat =
2347 le32_to_cpu(efs.acc_lat);
2348 chan->remote_sdu_itime =
2349 le32_to_cpu(efs.sdu_itime);
2350 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2351 sizeof(efs), (unsigned long) &efs);
2355 case L2CAP_MODE_STREAMING:
2356 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2358 L2CAP_EXT_HDR_SIZE -
2361 rfc.max_pdu_size = cpu_to_le16(size);
2362 chan->remote_mps = size;
2364 set_bit(CONF_MODE_DONE, &chan->conf_state);
2366 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2367 sizeof(rfc), (unsigned long) &rfc);
2372 result = L2CAP_CONF_UNACCEPT;
2374 memset(&rfc, 0, sizeof(rfc));
2375 rfc.mode = chan->mode;
2378 if (result == L2CAP_CONF_SUCCESS)
2379 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2381 rsp->scid = cpu_to_le16(chan->dcid);
2382 rsp->result = cpu_to_le16(result);
2383 rsp->flags = cpu_to_le16(0x0000);
2388 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
2390 struct l2cap_conf_req *req = data;
2391 void *ptr = req->data;
2394 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2395 struct l2cap_conf_efs efs;
2397 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
2399 while (len >= L2CAP_CONF_OPT_SIZE) {
2400 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2403 case L2CAP_CONF_MTU:
2404 if (val < L2CAP_DEFAULT_MIN_MTU) {
2405 *result = L2CAP_CONF_UNACCEPT;
2406 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
2409 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2412 case L2CAP_CONF_FLUSH_TO:
2413 chan->flush_to = val;
2414 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2418 case L2CAP_CONF_RFC:
2419 if (olen == sizeof(rfc))
2420 memcpy(&rfc, (void *)val, olen);
2422 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2423 rfc.mode != chan->mode)
2424 return -ECONNREFUSED;
2428 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2429 sizeof(rfc), (unsigned long) &rfc);
2432 case L2CAP_CONF_EWS:
2433 chan->tx_win = min_t(u16, val,
2434 L2CAP_DEFAULT_EXT_WINDOW);
2435 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2439 case L2CAP_CONF_EFS:
2440 if (olen == sizeof(efs))
2441 memcpy(&efs, (void *)val, olen);
2443 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2444 efs.stype != L2CAP_SERV_NOTRAFIC &&
2445 efs.stype != chan->local_stype)
2446 return -ECONNREFUSED;
2448 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2449 sizeof(efs), (unsigned long) &efs);
2454 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
2455 return -ECONNREFUSED;
2457 chan->mode = rfc.mode;
2459 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
2461 case L2CAP_MODE_ERTM:
2462 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2463 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2464 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2466 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2467 chan->local_msdu = le16_to_cpu(efs.msdu);
2468 chan->local_sdu_itime =
2469 le32_to_cpu(efs.sdu_itime);
2470 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2471 chan->local_flush_to =
2472 le32_to_cpu(efs.flush_to);
2476 case L2CAP_MODE_STREAMING:
2477 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2481 req->dcid = cpu_to_le16(chan->dcid);
2482 req->flags = cpu_to_le16(0x0000);
2487 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
2489 struct l2cap_conf_rsp *rsp = data;
2490 void *ptr = rsp->data;
2492 BT_DBG("chan %p", chan);
2494 rsp->scid = cpu_to_le16(chan->dcid);
2495 rsp->result = cpu_to_le16(result);
2496 rsp->flags = cpu_to_le16(flags);
2501 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2503 struct l2cap_conn_rsp rsp;
2504 struct l2cap_conn *conn = chan->conn;
2507 rsp.scid = cpu_to_le16(chan->dcid);
2508 rsp.dcid = cpu_to_le16(chan->scid);
2509 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2510 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2511 l2cap_send_cmd(conn, chan->ident,
2512 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2514 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2517 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2518 l2cap_build_conf_req(chan, buf), buf);
2519 chan->num_conf_req++;
2522 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
2526 struct l2cap_conf_rfc rfc;
2528 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
2530 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
2533 while (len >= L2CAP_CONF_OPT_SIZE) {
2534 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2537 case L2CAP_CONF_RFC:
2538 if (olen == sizeof(rfc))
2539 memcpy(&rfc, (void *)val, olen);
2544 /* Use sane default values in case a misbehaving remote device
2545 * did not send an RFC option.
2547 rfc.mode = chan->mode;
2548 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2549 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2550 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2552 BT_ERR("Expected RFC option was not found, using defaults");
2556 case L2CAP_MODE_ERTM:
2557 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2558 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2559 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2561 case L2CAP_MODE_STREAMING:
2562 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2566 static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2568 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
2570 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
2573 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2574 cmd->ident == conn->info_ident) {
2575 __cancel_delayed_work(&conn->info_timer);
2577 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2578 conn->info_ident = 0;
2580 l2cap_conn_start(conn);
2586 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2588 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2589 struct l2cap_conn_rsp rsp;
2590 struct l2cap_chan *chan = NULL, *pchan;
2591 struct sock *parent, *sk = NULL;
2592 int result, status = L2CAP_CS_NO_INFO;
2594 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2595 __le16 psm = req->psm;
2597 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2599 /* Check if we have socket listening on psm */
2600 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2602 result = L2CAP_CR_BAD_PSM;
2610 /* Check if the ACL is secure enough (if not SDP) */
2611 if (psm != cpu_to_le16(0x0001) &&
2612 !hci_conn_check_link_mode(conn->hcon)) {
2613 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
2614 result = L2CAP_CR_SEC_BLOCK;
2618 result = L2CAP_CR_NO_MEM;
2620 /* Check for backlog size */
2621 if (sk_acceptq_is_full(parent)) {
2622 BT_DBG("backlog full %d", parent->sk_ack_backlog);
2626 chan = pchan->ops->new_connection(pchan->data);
2632 /* Check if we already have channel with that dcid */
2633 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2634 sock_set_flag(sk, SOCK_ZAPPED);
2635 chan->ops->close(chan->data);
2639 hci_conn_hold(conn->hcon);
2641 bacpy(&bt_sk(sk)->src, conn->src);
2642 bacpy(&bt_sk(sk)->dst, conn->dst);
2646 bt_accept_enqueue(parent, sk);
2648 l2cap_chan_add(conn, chan);
2652 __set_chan_timer(chan, sk->sk_sndtimeo);
2654 chan->ident = cmd->ident;
2656 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2657 if (l2cap_chan_check_security(chan)) {
2658 if (bt_sk(sk)->defer_setup) {
2659 l2cap_state_change(chan, BT_CONNECT2);
2660 result = L2CAP_CR_PEND;
2661 status = L2CAP_CS_AUTHOR_PEND;
2662 parent->sk_data_ready(parent, 0);
2664 l2cap_state_change(chan, BT_CONFIG);
2665 result = L2CAP_CR_SUCCESS;
2666 status = L2CAP_CS_NO_INFO;
2669 l2cap_state_change(chan, BT_CONNECT2);
2670 result = L2CAP_CR_PEND;
2671 status = L2CAP_CS_AUTHEN_PEND;
2674 l2cap_state_change(chan, BT_CONNECT2);
2675 result = L2CAP_CR_PEND;
2676 status = L2CAP_CS_NO_INFO;
2680 release_sock(parent);
2683 rsp.scid = cpu_to_le16(scid);
2684 rsp.dcid = cpu_to_le16(dcid);
2685 rsp.result = cpu_to_le16(result);
2686 rsp.status = cpu_to_le16(status);
2687 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2689 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2690 struct l2cap_info_req info;
2691 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2693 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2694 conn->info_ident = l2cap_get_ident(conn);
2696 schedule_delayed_work(&conn->info_timer,
2697 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2699 l2cap_send_cmd(conn, conn->info_ident,
2700 L2CAP_INFO_REQ, sizeof(info), &info);
2703 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2704 result == L2CAP_CR_SUCCESS) {
2706 set_bit(CONF_REQ_SENT, &chan->conf_state);
2707 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2708 l2cap_build_conf_req(chan, buf), buf);
2709 chan->num_conf_req++;
2715 static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2717 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2718 u16 scid, dcid, result, status;
2719 struct l2cap_chan *chan;
2723 scid = __le16_to_cpu(rsp->scid);
2724 dcid = __le16_to_cpu(rsp->dcid);
2725 result = __le16_to_cpu(rsp->result);
2726 status = __le16_to_cpu(rsp->status);
2728 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2731 chan = l2cap_get_chan_by_scid(conn, scid);
2735 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
2743 case L2CAP_CR_SUCCESS:
2744 l2cap_state_change(chan, BT_CONFIG);
2747 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
2749 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2752 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2753 l2cap_build_conf_req(chan, req), req);
2754 chan->num_conf_req++;
2758 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
2762 l2cap_chan_del(chan, ECONNREFUSED);
2770 static inline void set_default_fcs(struct l2cap_chan *chan)
2772 /* FCS is enabled only in ERTM or streaming mode, if one or both
2775 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
2776 chan->fcs = L2CAP_FCS_NONE;
2777 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
2778 chan->fcs = L2CAP_FCS_CRC16;
2781 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2783 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2786 struct l2cap_chan *chan;
2790 dcid = __le16_to_cpu(req->dcid);
2791 flags = __le16_to_cpu(req->flags);
2793 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2795 chan = l2cap_get_chan_by_scid(conn, dcid);
2801 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
2802 struct l2cap_cmd_rej_cid rej;
2804 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2805 rej.scid = cpu_to_le16(chan->scid);
2806 rej.dcid = cpu_to_le16(chan->dcid);
2808 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2813 /* Reject if config buffer is too small. */
2814 len = cmd_len - sizeof(*req);
2815 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
2816 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2817 l2cap_build_conf_rsp(chan, rsp,
2818 L2CAP_CONF_REJECT, flags), rsp);
2823 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2824 chan->conf_len += len;
2826 if (flags & 0x0001) {
2827 /* Incomplete config. Send empty response. */
2828 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2829 l2cap_build_conf_rsp(chan, rsp,
2830 L2CAP_CONF_SUCCESS, 0x0001), rsp);
2834 /* Complete config. */
2835 len = l2cap_parse_conf_req(chan, rsp);
2837 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2841 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2842 chan->num_conf_rsp++;
2844 /* Reset config buffer. */
2847 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
2850 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
2851 set_default_fcs(chan);
2853 l2cap_state_change(chan, BT_CONNECTED);
2855 chan->next_tx_seq = 0;
2856 chan->expected_tx_seq = 0;
2857 skb_queue_head_init(&chan->tx_q);
2858 if (chan->mode == L2CAP_MODE_ERTM)
2859 l2cap_ertm_init(chan);
2861 l2cap_chan_ready(sk);
2865 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
2867 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2868 l2cap_build_conf_req(chan, buf), buf);
2869 chan->num_conf_req++;
2872 /* Got Conf Rsp PENDING from remote side and asume we sent
2873 Conf Rsp PENDING in the code above */
2874 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
2875 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2877 /* check compatibility */
2879 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2880 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2882 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2883 l2cap_build_conf_rsp(chan, rsp,
2884 L2CAP_CONF_SUCCESS, 0x0000), rsp);
2892 static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2894 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2895 u16 scid, flags, result;
2896 struct l2cap_chan *chan;
2898 int len = cmd->len - sizeof(*rsp);
2900 scid = __le16_to_cpu(rsp->scid);
2901 flags = __le16_to_cpu(rsp->flags);
2902 result = __le16_to_cpu(rsp->result);
2904 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2905 scid, flags, result);
2907 chan = l2cap_get_chan_by_scid(conn, scid);
2914 case L2CAP_CONF_SUCCESS:
2915 l2cap_conf_rfc_get(chan, rsp->data, len);
2916 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2919 case L2CAP_CONF_PENDING:
2920 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2922 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2925 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2928 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2932 /* check compatibility */
2934 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2935 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2937 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2938 l2cap_build_conf_rsp(chan, buf,
2939 L2CAP_CONF_SUCCESS, 0x0000), buf);
2943 case L2CAP_CONF_UNACCEPT:
2944 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
2947 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
2948 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2952 /* throw out any old stored conf requests */
2953 result = L2CAP_CONF_SUCCESS;
2954 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2957 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2961 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2962 L2CAP_CONF_REQ, len, req);
2963 chan->num_conf_req++;
2964 if (result != L2CAP_CONF_SUCCESS)
2970 sk->sk_err = ECONNRESET;
2971 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
2972 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2979 set_bit(CONF_INPUT_DONE, &chan->conf_state);
2981 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
2982 set_default_fcs(chan);
2984 l2cap_state_change(chan, BT_CONNECTED);
2985 chan->next_tx_seq = 0;
2986 chan->expected_tx_seq = 0;
2987 skb_queue_head_init(&chan->tx_q);
2988 if (chan->mode == L2CAP_MODE_ERTM)
2989 l2cap_ertm_init(chan);
2991 l2cap_chan_ready(sk);
2999 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3001 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3002 struct l2cap_disconn_rsp rsp;
3004 struct l2cap_chan *chan;
3007 scid = __le16_to_cpu(req->scid);
3008 dcid = __le16_to_cpu(req->dcid);
3010 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3012 chan = l2cap_get_chan_by_scid(conn, dcid);
3018 rsp.dcid = cpu_to_le16(chan->scid);
3019 rsp.scid = cpu_to_le16(chan->dcid);
3020 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3022 sk->sk_shutdown = SHUTDOWN_MASK;
3024 l2cap_chan_del(chan, ECONNRESET);
3027 chan->ops->close(chan->data);
3031 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3033 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3035 struct l2cap_chan *chan;
3038 scid = __le16_to_cpu(rsp->scid);
3039 dcid = __le16_to_cpu(rsp->dcid);
3041 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3043 chan = l2cap_get_chan_by_scid(conn, scid);
3049 l2cap_chan_del(chan, 0);
3052 chan->ops->close(chan->data);
3056 static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3058 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
3061 type = __le16_to_cpu(req->type);
3063 BT_DBG("type 0x%4.4x", type);
3065 if (type == L2CAP_IT_FEAT_MASK) {
3067 u32 feat_mask = l2cap_feat_mask;
3068 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3069 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3070 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3072 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3075 feat_mask |= L2CAP_FEAT_EXT_FLOW
3076 | L2CAP_FEAT_EXT_WINDOW;
3078 put_unaligned_le32(feat_mask, rsp->data);
3079 l2cap_send_cmd(conn, cmd->ident,
3080 L2CAP_INFO_RSP, sizeof(buf), buf);
3081 } else if (type == L2CAP_IT_FIXED_CHAN) {
3083 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3086 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3088 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3090 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3091 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3092 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
3093 l2cap_send_cmd(conn, cmd->ident,
3094 L2CAP_INFO_RSP, sizeof(buf), buf);
3096 struct l2cap_info_rsp rsp;
3097 rsp.type = cpu_to_le16(type);
3098 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3099 l2cap_send_cmd(conn, cmd->ident,
3100 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3106 static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3108 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3111 type = __le16_to_cpu(rsp->type);
3112 result = __le16_to_cpu(rsp->result);
3114 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3116 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3117 if (cmd->ident != conn->info_ident ||
3118 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3121 __cancel_delayed_work(&conn->info_timer);
3123 if (result != L2CAP_IR_SUCCESS) {
3124 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3125 conn->info_ident = 0;
3127 l2cap_conn_start(conn);
3132 if (type == L2CAP_IT_FEAT_MASK) {
3133 conn->feat_mask = get_unaligned_le32(rsp->data);
3135 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
3136 struct l2cap_info_req req;
3137 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3139 conn->info_ident = l2cap_get_ident(conn);
3141 l2cap_send_cmd(conn, conn->info_ident,
3142 L2CAP_INFO_REQ, sizeof(req), &req);
3144 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3145 conn->info_ident = 0;
3147 l2cap_conn_start(conn);
3149 } else if (type == L2CAP_IT_FIXED_CHAN) {
3150 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3151 conn->info_ident = 0;
3153 l2cap_conn_start(conn);
3159 static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3160 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3163 struct l2cap_create_chan_req *req = data;
3164 struct l2cap_create_chan_rsp rsp;
3167 if (cmd_len != sizeof(*req))
3173 psm = le16_to_cpu(req->psm);
3174 scid = le16_to_cpu(req->scid);
3176 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3178 /* Placeholder: Always reject */
3180 rsp.scid = cpu_to_le16(scid);
3181 rsp.result = L2CAP_CR_NO_MEM;
3182 rsp.status = L2CAP_CS_NO_INFO;
3184 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3190 static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3191 struct l2cap_cmd_hdr *cmd, void *data)
3193 BT_DBG("conn %p", conn);
3195 return l2cap_connect_rsp(conn, cmd, data);
3198 static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3199 u16 icid, u16 result)
3201 struct l2cap_move_chan_rsp rsp;
3203 BT_DBG("icid %d, result %d", icid, result);
3205 rsp.icid = cpu_to_le16(icid);
3206 rsp.result = cpu_to_le16(result);
3208 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3211 static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3212 struct l2cap_chan *chan, u16 icid, u16 result)
3214 struct l2cap_move_chan_cfm cfm;
3217 BT_DBG("icid %d, result %d", icid, result);
3219 ident = l2cap_get_ident(conn);
3221 chan->ident = ident;
3223 cfm.icid = cpu_to_le16(icid);
3224 cfm.result = cpu_to_le16(result);
3226 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3229 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3232 struct l2cap_move_chan_cfm_rsp rsp;
3234 BT_DBG("icid %d", icid);
3236 rsp.icid = cpu_to_le16(icid);
3237 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3240 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3241 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3243 struct l2cap_move_chan_req *req = data;
3245 u16 result = L2CAP_MR_NOT_ALLOWED;
3247 if (cmd_len != sizeof(*req))
3250 icid = le16_to_cpu(req->icid);
3252 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3257 /* Placeholder: Always refuse */
3258 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3263 static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3264 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3266 struct l2cap_move_chan_rsp *rsp = data;
3269 if (cmd_len != sizeof(*rsp))
3272 icid = le16_to_cpu(rsp->icid);
3273 result = le16_to_cpu(rsp->result);
3275 BT_DBG("icid %d, result %d", icid, result);
3277 /* Placeholder: Always unconfirmed */
3278 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3283 static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3284 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3286 struct l2cap_move_chan_cfm *cfm = data;
3289 if (cmd_len != sizeof(*cfm))
3292 icid = le16_to_cpu(cfm->icid);
3293 result = le16_to_cpu(cfm->result);
3295 BT_DBG("icid %d, result %d", icid, result);
3297 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3302 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3303 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3305 struct l2cap_move_chan_cfm_rsp *rsp = data;
3308 if (cmd_len != sizeof(*rsp))
3311 icid = le16_to_cpu(rsp->icid);
3313 BT_DBG("icid %d", icid);
3318 static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
3323 if (min > max || min < 6 || max > 3200)
3326 if (to_multiplier < 10 || to_multiplier > 3200)
3329 if (max >= to_multiplier * 8)
3332 max_latency = (to_multiplier * 8 / max) - 1;
3333 if (latency > 499 || latency > max_latency)
3339 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3340 struct l2cap_cmd_hdr *cmd, u8 *data)
3342 struct hci_conn *hcon = conn->hcon;
3343 struct l2cap_conn_param_update_req *req;
3344 struct l2cap_conn_param_update_rsp rsp;
3345 u16 min, max, latency, to_multiplier, cmd_len;
3348 if (!(hcon->link_mode & HCI_LM_MASTER))
3351 cmd_len = __le16_to_cpu(cmd->len);
3352 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3355 req = (struct l2cap_conn_param_update_req *) data;
3356 min = __le16_to_cpu(req->min);
3357 max = __le16_to_cpu(req->max);
3358 latency = __le16_to_cpu(req->latency);
3359 to_multiplier = __le16_to_cpu(req->to_multiplier);
3361 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3362 min, max, latency, to_multiplier);
3364 memset(&rsp, 0, sizeof(rsp));
3366 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3368 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3370 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3372 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3376 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3381 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3382 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3386 switch (cmd->code) {
3387 case L2CAP_COMMAND_REJ:
3388 l2cap_command_rej(conn, cmd, data);
3391 case L2CAP_CONN_REQ:
3392 err = l2cap_connect_req(conn, cmd, data);
3395 case L2CAP_CONN_RSP:
3396 err = l2cap_connect_rsp(conn, cmd, data);
3399 case L2CAP_CONF_REQ:
3400 err = l2cap_config_req(conn, cmd, cmd_len, data);
3403 case L2CAP_CONF_RSP:
3404 err = l2cap_config_rsp(conn, cmd, data);
3407 case L2CAP_DISCONN_REQ:
3408 err = l2cap_disconnect_req(conn, cmd, data);
3411 case L2CAP_DISCONN_RSP:
3412 err = l2cap_disconnect_rsp(conn, cmd, data);
3415 case L2CAP_ECHO_REQ:
3416 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3419 case L2CAP_ECHO_RSP:
3422 case L2CAP_INFO_REQ:
3423 err = l2cap_information_req(conn, cmd, data);
3426 case L2CAP_INFO_RSP:
3427 err = l2cap_information_rsp(conn, cmd, data);
3430 case L2CAP_CREATE_CHAN_REQ:
3431 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3434 case L2CAP_CREATE_CHAN_RSP:
3435 err = l2cap_create_channel_rsp(conn, cmd, data);
3438 case L2CAP_MOVE_CHAN_REQ:
3439 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3442 case L2CAP_MOVE_CHAN_RSP:
3443 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3446 case L2CAP_MOVE_CHAN_CFM:
3447 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3450 case L2CAP_MOVE_CHAN_CFM_RSP:
3451 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3455 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3463 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3464 struct l2cap_cmd_hdr *cmd, u8 *data)
3466 switch (cmd->code) {
3467 case L2CAP_COMMAND_REJ:
3470 case L2CAP_CONN_PARAM_UPDATE_REQ:
3471 return l2cap_conn_param_update_req(conn, cmd, data);
3473 case L2CAP_CONN_PARAM_UPDATE_RSP:
3477 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3482 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3483 struct sk_buff *skb)
3485 u8 *data = skb->data;
3487 struct l2cap_cmd_hdr cmd;
3490 l2cap_raw_recv(conn, skb);
3492 while (len >= L2CAP_CMD_HDR_SIZE) {
3494 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3495 data += L2CAP_CMD_HDR_SIZE;
3496 len -= L2CAP_CMD_HDR_SIZE;
3498 cmd_len = le16_to_cpu(cmd.len);
3500 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
3502 if (cmd_len > len || !cmd.ident) {
3503 BT_DBG("corrupted command");
3507 if (conn->hcon->type == LE_LINK)
3508 err = l2cap_le_sig_cmd(conn, &cmd, data);
3510 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
3513 struct l2cap_cmd_rej_unk rej;
3515 BT_ERR("Wrong link type (%d)", err);
3517 /* FIXME: Map err to a valid reason */
3518 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
3519 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3529 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
3531 u16 our_fcs, rcv_fcs;
3534 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3535 hdr_size = L2CAP_EXT_HDR_SIZE;
3537 hdr_size = L2CAP_ENH_HDR_SIZE;
3539 if (chan->fcs == L2CAP_FCS_CRC16) {
3540 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
3541 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3542 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3544 if (our_fcs != rcv_fcs)
3550 static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
3554 chan->frames_sent = 0;
3556 control |= __set_reqseq(chan, chan->buffer_seq);
3558 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3559 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
3560 l2cap_send_sframe(chan, control);
3561 set_bit(CONN_RNR_SENT, &chan->conn_state);
3564 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
3565 l2cap_retransmit_frames(chan);
3567 l2cap_ertm_send(chan);
3569 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
3570 chan->frames_sent == 0) {
3571 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
3572 l2cap_send_sframe(chan, control);
3576 static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
3578 struct sk_buff *next_skb;
3579 int tx_seq_offset, next_tx_seq_offset;
3581 bt_cb(skb)->tx_seq = tx_seq;
3582 bt_cb(skb)->sar = sar;
3584 next_skb = skb_peek(&chan->srej_q);
3586 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
3589 if (bt_cb(next_skb)->tx_seq == tx_seq)
3592 next_tx_seq_offset = __seq_offset(chan,
3593 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
3595 if (next_tx_seq_offset > tx_seq_offset) {
3596 __skb_queue_before(&chan->srej_q, next_skb, skb);
3600 if (skb_queue_is_last(&chan->srej_q, next_skb))
3603 next_skb = skb_queue_next(&chan->srej_q, next_skb);
3606 __skb_queue_tail(&chan->srej_q, skb);
3611 static void append_skb_frag(struct sk_buff *skb,
3612 struct sk_buff *new_frag, struct sk_buff **last_frag)
3614 /* skb->len reflects data in skb as well as all fragments
3615 * skb->data_len reflects only data in fragments
3617 if (!skb_has_frag_list(skb))
3618 skb_shinfo(skb)->frag_list = new_frag;
3620 new_frag->next = NULL;
3622 (*last_frag)->next = new_frag;
3623 *last_frag = new_frag;
3625 skb->len += new_frag->len;
3626 skb->data_len += new_frag->len;
3627 skb->truesize += new_frag->truesize;
3630 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
3634 switch (__get_ctrl_sar(chan, control)) {
3635 case L2CAP_SAR_UNSEGMENTED:
3639 err = chan->ops->recv(chan->data, skb);
3642 case L2CAP_SAR_START:
3646 chan->sdu_len = get_unaligned_le16(skb->data);
3647 skb_pull(skb, L2CAP_SDULEN_SIZE);
3649 if (chan->sdu_len > chan->imtu) {
3654 if (skb->len >= chan->sdu_len)
3658 chan->sdu_last_frag = skb;
3664 case L2CAP_SAR_CONTINUE:
3668 append_skb_frag(chan->sdu, skb,
3669 &chan->sdu_last_frag);
3672 if (chan->sdu->len >= chan->sdu_len)
3682 append_skb_frag(chan->sdu, skb,
3683 &chan->sdu_last_frag);
3686 if (chan->sdu->len != chan->sdu_len)
3689 err = chan->ops->recv(chan->data, chan->sdu);
3692 /* Reassembly complete */
3694 chan->sdu_last_frag = NULL;
3702 kfree_skb(chan->sdu);
3704 chan->sdu_last_frag = NULL;
3711 static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
3715 BT_DBG("chan %p, Enter local busy", chan);
3717 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3719 control = __set_reqseq(chan, chan->buffer_seq);
3720 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
3721 l2cap_send_sframe(chan, control);
3723 set_bit(CONN_RNR_SENT, &chan->conn_state);
3725 __clear_ack_timer(chan);
3728 static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3732 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3735 control = __set_reqseq(chan, chan->buffer_seq);
3736 control |= __set_ctrl_poll(chan);
3737 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
3738 l2cap_send_sframe(chan, control);
3739 chan->retry_count = 1;
3741 __clear_retrans_timer(chan);
3742 __set_monitor_timer(chan);
3744 set_bit(CONN_WAIT_F, &chan->conn_state);
3747 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3748 clear_bit(CONN_RNR_SENT, &chan->conn_state);
3750 BT_DBG("chan %p, Exit local busy", chan);
3753 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
3755 if (chan->mode == L2CAP_MODE_ERTM) {
3757 l2cap_ertm_enter_local_busy(chan);
3759 l2cap_ertm_exit_local_busy(chan);
3763 static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
3765 struct sk_buff *skb;
3768 while ((skb = skb_peek(&chan->srej_q)) &&
3769 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3772 if (bt_cb(skb)->tx_seq != tx_seq)
3775 skb = skb_dequeue(&chan->srej_q);
3776 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
3777 err = l2cap_reassemble_sdu(chan, skb, control);
3780 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3784 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3785 tx_seq = __next_seq(chan, tx_seq);
3789 static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
3791 struct srej_list *l, *tmp;
3794 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
3795 if (l->tx_seq == tx_seq) {
3800 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
3801 control |= __set_reqseq(chan, l->tx_seq);
3802 l2cap_send_sframe(chan, control);
3804 list_add_tail(&l->list, &chan->srej_l);
3808 static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
3810 struct srej_list *new;
3813 while (tx_seq != chan->expected_tx_seq) {
3814 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
3815 control |= __set_reqseq(chan, chan->expected_tx_seq);
3816 l2cap_send_sframe(chan, control);
3818 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3822 new->tx_seq = chan->expected_tx_seq;
3824 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3826 list_add_tail(&new->list, &chan->srej_l);
3829 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3834 static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
3836 u16 tx_seq = __get_txseq(chan, rx_control);
3837 u16 req_seq = __get_reqseq(chan, rx_control);
3838 u8 sar = __get_ctrl_sar(chan, rx_control);
3839 int tx_seq_offset, expected_tx_seq_offset;
3840 int num_to_ack = (chan->tx_win/6) + 1;
3843 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
3844 tx_seq, rx_control);
3846 if (__is_ctrl_final(chan, rx_control) &&
3847 test_bit(CONN_WAIT_F, &chan->conn_state)) {
3848 __clear_monitor_timer(chan);
3849 if (chan->unacked_frames > 0)
3850 __set_retrans_timer(chan);
3851 clear_bit(CONN_WAIT_F, &chan->conn_state);
3854 chan->expected_ack_seq = req_seq;
3855 l2cap_drop_acked_frames(chan);
3857 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
3859 /* invalid tx_seq */
3860 if (tx_seq_offset >= chan->tx_win) {
3861 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3865 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
3868 if (tx_seq == chan->expected_tx_seq)
3871 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3872 struct srej_list *first;
3874 first = list_first_entry(&chan->srej_l,
3875 struct srej_list, list);
3876 if (tx_seq == first->tx_seq) {
3877 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3878 l2cap_check_srej_gap(chan, tx_seq);
3880 list_del(&first->list);
3883 if (list_empty(&chan->srej_l)) {
3884 chan->buffer_seq = chan->buffer_seq_srej;
3885 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
3886 l2cap_send_ack(chan);
3887 BT_DBG("chan %p, Exit SREJ_SENT", chan);
3890 struct srej_list *l;
3892 /* duplicated tx_seq */
3893 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
3896 list_for_each_entry(l, &chan->srej_l, list) {
3897 if (l->tx_seq == tx_seq) {
3898 l2cap_resend_srejframe(chan, tx_seq);
3903 err = l2cap_send_srejframe(chan, tx_seq);
3905 l2cap_send_disconn_req(chan->conn, chan, -err);
3910 expected_tx_seq_offset = __seq_offset(chan,
3911 chan->expected_tx_seq, chan->buffer_seq);
3913 /* duplicated tx_seq */
3914 if (tx_seq_offset < expected_tx_seq_offset)
3917 set_bit(CONN_SREJ_SENT, &chan->conn_state);
3919 BT_DBG("chan %p, Enter SREJ", chan);
3921 INIT_LIST_HEAD(&chan->srej_l);
3922 chan->buffer_seq_srej = chan->buffer_seq;
3924 __skb_queue_head_init(&chan->srej_q);
3925 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3927 set_bit(CONN_SEND_PBIT, &chan->conn_state);
3929 err = l2cap_send_srejframe(chan, tx_seq);
3931 l2cap_send_disconn_req(chan->conn, chan, -err);
3935 __clear_ack_timer(chan);
3940 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3942 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3943 bt_cb(skb)->tx_seq = tx_seq;
3944 bt_cb(skb)->sar = sar;
3945 __skb_queue_tail(&chan->srej_q, skb);
3949 err = l2cap_reassemble_sdu(chan, skb, rx_control);
3950 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
3953 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3957 if (__is_ctrl_final(chan, rx_control)) {
3958 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3959 l2cap_retransmit_frames(chan);
3963 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3964 if (chan->num_acked == num_to_ack - 1)
3965 l2cap_send_ack(chan);
3967 __set_ack_timer(chan);
3976 static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
3978 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
3979 __get_reqseq(chan, rx_control), rx_control);
3981 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
3982 l2cap_drop_acked_frames(chan);
3984 if (__is_ctrl_poll(chan, rx_control)) {
3985 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3986 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3987 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
3988 (chan->unacked_frames > 0))
3989 __set_retrans_timer(chan);
3991 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3992 l2cap_send_srejtail(chan);
3994 l2cap_send_i_or_rr_or_rnr(chan);
3997 } else if (__is_ctrl_final(chan, rx_control)) {
3998 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4000 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4001 l2cap_retransmit_frames(chan);
4004 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4005 (chan->unacked_frames > 0))
4006 __set_retrans_timer(chan);
4008 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4009 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
4010 l2cap_send_ack(chan);
4012 l2cap_ertm_send(chan);
4016 static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
4018 u16 tx_seq = __get_reqseq(chan, rx_control);
4020 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4022 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4024 chan->expected_ack_seq = tx_seq;
4025 l2cap_drop_acked_frames(chan);
4027 if (__is_ctrl_final(chan, rx_control)) {
4028 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4029 l2cap_retransmit_frames(chan);
4031 l2cap_retransmit_frames(chan);
4033 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4034 set_bit(CONN_REJ_ACT, &chan->conn_state);
4037 static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
4039 u16 tx_seq = __get_reqseq(chan, rx_control);
4041 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4043 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4045 if (__is_ctrl_poll(chan, rx_control)) {
4046 chan->expected_ack_seq = tx_seq;
4047 l2cap_drop_acked_frames(chan);
4049 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4050 l2cap_retransmit_one_frame(chan, tx_seq);
4052 l2cap_ertm_send(chan);
4054 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
4055 chan->srej_save_reqseq = tx_seq;
4056 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4058 } else if (__is_ctrl_final(chan, rx_control)) {
4059 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
4060 chan->srej_save_reqseq == tx_seq)
4061 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4063 l2cap_retransmit_one_frame(chan, tx_seq);
4065 l2cap_retransmit_one_frame(chan, tx_seq);
4066 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
4067 chan->srej_save_reqseq = tx_seq;
4068 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4073 static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
4075 u16 tx_seq = __get_reqseq(chan, rx_control);
4077 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4079 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4080 chan->expected_ack_seq = tx_seq;
4081 l2cap_drop_acked_frames(chan);
4083 if (__is_ctrl_poll(chan, rx_control))
4084 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4086 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4087 __clear_retrans_timer(chan);
4088 if (__is_ctrl_poll(chan, rx_control))
4089 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
4093 if (__is_ctrl_poll(chan, rx_control)) {
4094 l2cap_send_srejtail(chan);
4096 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4097 l2cap_send_sframe(chan, rx_control);
4101 static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
4103 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
4105 if (__is_ctrl_final(chan, rx_control) &&
4106 test_bit(CONN_WAIT_F, &chan->conn_state)) {
4107 __clear_monitor_timer(chan);
4108 if (chan->unacked_frames > 0)
4109 __set_retrans_timer(chan);
4110 clear_bit(CONN_WAIT_F, &chan->conn_state);
4113 switch (__get_ctrl_super(chan, rx_control)) {
4114 case L2CAP_SUPER_RR:
4115 l2cap_data_channel_rrframe(chan, rx_control);
4118 case L2CAP_SUPER_REJ:
4119 l2cap_data_channel_rejframe(chan, rx_control);
4122 case L2CAP_SUPER_SREJ:
4123 l2cap_data_channel_srejframe(chan, rx_control);
4126 case L2CAP_SUPER_RNR:
4127 l2cap_data_channel_rnrframe(chan, rx_control);
4135 static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
4137 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
4140 int len, next_tx_seq_offset, req_seq_offset;
4142 control = __get_control(chan, skb->data);
4143 skb_pull(skb, __ctrl_size(chan));
4147 * We can just drop the corrupted I-frame here.
4148 * Receiver will miss it and start proper recovery
4149 * procedures and ask retransmission.
4151 if (l2cap_check_fcs(chan, skb))
4154 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
4155 len -= L2CAP_SDULEN_SIZE;
4157 if (chan->fcs == L2CAP_FCS_CRC16)
4158 len -= L2CAP_FCS_SIZE;
4160 if (len > chan->mps) {
4161 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4165 req_seq = __get_reqseq(chan, control);
4167 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4169 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4170 chan->expected_ack_seq);
4172 /* check for invalid req-seq */
4173 if (req_seq_offset > next_tx_seq_offset) {
4174 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4178 if (!__is_sframe(chan, control)) {
4180 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4184 l2cap_data_channel_iframe(chan, control, skb);
4188 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4192 l2cap_data_channel_sframe(chan, control, skb);
4202 static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4204 struct l2cap_chan *chan;
4205 struct sock *sk = NULL;
4210 chan = l2cap_get_chan_by_scid(conn, cid);
4212 BT_DBG("unknown cid 0x%4.4x", cid);
4218 BT_DBG("chan %p, len %d", chan, skb->len);
4220 if (chan->state != BT_CONNECTED)
4223 switch (chan->mode) {
4224 case L2CAP_MODE_BASIC:
4225 /* If socket recv buffers overflows we drop data here
4226 * which is *bad* because L2CAP has to be reliable.
4227 * But we don't have any other choice. L2CAP doesn't
4228 * provide flow control mechanism. */
4230 if (chan->imtu < skb->len)
4233 if (!chan->ops->recv(chan->data, skb))
4237 case L2CAP_MODE_ERTM:
4238 l2cap_ertm_data_rcv(sk, skb);
4242 case L2CAP_MODE_STREAMING:
4243 control = __get_control(chan, skb->data);
4244 skb_pull(skb, __ctrl_size(chan));
4247 if (l2cap_check_fcs(chan, skb))
4250 if (__is_sar_start(chan, control))
4251 len -= L2CAP_SDULEN_SIZE;
4253 if (chan->fcs == L2CAP_FCS_CRC16)
4254 len -= L2CAP_FCS_SIZE;
4256 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
4259 tx_seq = __get_txseq(chan, control);
4261 if (chan->expected_tx_seq != tx_seq) {
4262 /* Frame(s) missing - must discard partial SDU */
4263 kfree_skb(chan->sdu);
4265 chan->sdu_last_frag = NULL;
4268 /* TODO: Notify userland of missing data */
4271 chan->expected_tx_seq = __next_seq(chan, tx_seq);
4273 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4274 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4279 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
4293 static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
4295 struct sock *sk = NULL;
4296 struct l2cap_chan *chan;
4298 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
4306 BT_DBG("sk %p, len %d", sk, skb->len);
4308 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
4311 if (chan->imtu < skb->len)
4314 if (!chan->ops->recv(chan->data, skb))
4326 static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
4328 struct sock *sk = NULL;
4329 struct l2cap_chan *chan;
4331 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4339 BT_DBG("sk %p, len %d", sk, skb->len);
4341 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
4344 if (chan->imtu < skb->len)
4347 if (!chan->ops->recv(chan->data, skb))
4359 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4361 struct l2cap_hdr *lh = (void *) skb->data;
4365 skb_pull(skb, L2CAP_HDR_SIZE);
4366 cid = __le16_to_cpu(lh->cid);
4367 len = __le16_to_cpu(lh->len);
4369 if (len != skb->len) {
4374 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4377 case L2CAP_CID_LE_SIGNALING:
4378 case L2CAP_CID_SIGNALING:
4379 l2cap_sig_channel(conn, skb);
4382 case L2CAP_CID_CONN_LESS:
4383 psm = get_unaligned_le16(skb->data);
4385 l2cap_conless_channel(conn, psm, skb);
4388 case L2CAP_CID_LE_DATA:
4389 l2cap_att_channel(conn, cid, skb);
4393 if (smp_sig_channel(conn, skb))
4394 l2cap_conn_del(conn->hcon, EACCES);
4398 l2cap_data_channel(conn, cid, skb);
4403 /* ---- L2CAP interface with lower layer (HCI) ---- */
4405 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
4407 int exact = 0, lm1 = 0, lm2 = 0;
4408 struct l2cap_chan *c;
4410 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4412 /* Find listening sockets and check their link_mode */
4413 read_lock(&chan_list_lock);
4414 list_for_each_entry(c, &chan_list, global_l) {
4415 struct sock *sk = c->sk;
4417 if (c->state != BT_LISTEN)
4420 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
4421 lm1 |= HCI_LM_ACCEPT;
4422 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4423 lm1 |= HCI_LM_MASTER;
4425 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4426 lm2 |= HCI_LM_ACCEPT;
4427 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4428 lm2 |= HCI_LM_MASTER;
4431 read_unlock(&chan_list_lock);
4433 return exact ? lm1 : lm2;
4436 int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4438 struct l2cap_conn *conn;
4440 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4443 conn = l2cap_conn_add(hcon, status);
4445 l2cap_conn_ready(conn);
4447 l2cap_conn_del(hcon, bt_to_errno(status));
4452 int l2cap_disconn_ind(struct hci_conn *hcon)
4454 struct l2cap_conn *conn = hcon->l2cap_data;
4456 BT_DBG("hcon %p", hcon);
4459 return HCI_ERROR_REMOTE_USER_TERM;
4460 return conn->disc_reason;
4463 int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
4465 BT_DBG("hcon %p reason %d", hcon, reason);
4467 l2cap_conn_del(hcon, bt_to_errno(reason));
4471 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
4473 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
4476 if (encrypt == 0x00) {
4477 if (chan->sec_level == BT_SECURITY_MEDIUM) {
4478 __clear_chan_timer(chan);
4479 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4480 } else if (chan->sec_level == BT_SECURITY_HIGH)
4481 l2cap_chan_close(chan, ECONNREFUSED);
4483 if (chan->sec_level == BT_SECURITY_MEDIUM)
4484 __clear_chan_timer(chan);
4488 int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4490 struct l2cap_conn *conn = hcon->l2cap_data;
4491 struct l2cap_chan *chan;
4496 BT_DBG("conn %p", conn);
4498 if (hcon->type == LE_LINK) {
4499 smp_distribute_keys(conn, 0);
4500 __cancel_delayed_work(&conn->security_timer);
4505 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
4506 struct sock *sk = chan->sk;
4510 BT_DBG("chan->scid %d", chan->scid);
4512 if (chan->scid == L2CAP_CID_LE_DATA) {
4513 if (!status && encrypt) {
4514 chan->sec_level = hcon->sec_level;
4515 l2cap_chan_ready(sk);
4522 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
4527 if (!status && (chan->state == BT_CONNECTED ||
4528 chan->state == BT_CONFIG)) {
4529 l2cap_check_encryption(chan, encrypt);
4534 if (chan->state == BT_CONNECT) {
4536 struct l2cap_conn_req req;
4537 req.scid = cpu_to_le16(chan->scid);
4538 req.psm = chan->psm;
4540 chan->ident = l2cap_get_ident(conn);
4541 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4543 l2cap_send_cmd(conn, chan->ident,
4544 L2CAP_CONN_REQ, sizeof(req), &req);
4546 __clear_chan_timer(chan);
4547 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
4549 } else if (chan->state == BT_CONNECT2) {
4550 struct l2cap_conn_rsp rsp;
4554 if (bt_sk(sk)->defer_setup) {
4555 struct sock *parent = bt_sk(sk)->parent;
4556 res = L2CAP_CR_PEND;
4557 stat = L2CAP_CS_AUTHOR_PEND;
4559 parent->sk_data_ready(parent, 0);
4561 l2cap_state_change(chan, BT_CONFIG);
4562 res = L2CAP_CR_SUCCESS;
4563 stat = L2CAP_CS_NO_INFO;
4566 l2cap_state_change(chan, BT_DISCONN);
4567 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
4568 res = L2CAP_CR_SEC_BLOCK;
4569 stat = L2CAP_CS_NO_INFO;
4572 rsp.scid = cpu_to_le16(chan->dcid);
4573 rsp.dcid = cpu_to_le16(chan->scid);
4574 rsp.result = cpu_to_le16(res);
4575 rsp.status = cpu_to_le16(stat);
4576 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4588 int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4590 struct l2cap_conn *conn = hcon->l2cap_data;
4593 conn = l2cap_conn_add(hcon, 0);
4598 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4600 if (!(flags & ACL_CONT)) {
4601 struct l2cap_hdr *hdr;
4602 struct l2cap_chan *chan;
4607 BT_ERR("Unexpected start frame (len %d)", skb->len);
4608 kfree_skb(conn->rx_skb);
4609 conn->rx_skb = NULL;
4611 l2cap_conn_unreliable(conn, ECOMM);
4614 /* Start fragment always begin with Basic L2CAP header */
4615 if (skb->len < L2CAP_HDR_SIZE) {
4616 BT_ERR("Frame is too short (len %d)", skb->len);
4617 l2cap_conn_unreliable(conn, ECOMM);
4621 hdr = (struct l2cap_hdr *) skb->data;
4622 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4623 cid = __le16_to_cpu(hdr->cid);
4625 if (len == skb->len) {
4626 /* Complete frame received */
4627 l2cap_recv_frame(conn, skb);
4631 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4633 if (skb->len > len) {
4634 BT_ERR("Frame is too long (len %d, expected len %d)",
4636 l2cap_conn_unreliable(conn, ECOMM);
4640 chan = l2cap_get_chan_by_scid(conn, cid);
4642 if (chan && chan->sk) {
4643 struct sock *sk = chan->sk;
4645 if (chan->imtu < len - L2CAP_HDR_SIZE) {
4646 BT_ERR("Frame exceeding recv MTU (len %d, "
4650 l2cap_conn_unreliable(conn, ECOMM);
4656 /* Allocate skb for the complete frame (with header) */
4657 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4661 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4663 conn->rx_len = len - skb->len;
4665 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4667 if (!conn->rx_len) {
4668 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4669 l2cap_conn_unreliable(conn, ECOMM);
4673 if (skb->len > conn->rx_len) {
4674 BT_ERR("Fragment is too long (len %d, expected %d)",
4675 skb->len, conn->rx_len);
4676 kfree_skb(conn->rx_skb);
4677 conn->rx_skb = NULL;
4679 l2cap_conn_unreliable(conn, ECOMM);
4683 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4685 conn->rx_len -= skb->len;
4687 if (!conn->rx_len) {
4688 /* Complete frame received */
4689 l2cap_recv_frame(conn, conn->rx_skb);
4690 conn->rx_skb = NULL;
4699 static int l2cap_debugfs_show(struct seq_file *f, void *p)
4701 struct l2cap_chan *c;
4703 read_lock_bh(&chan_list_lock);
4705 list_for_each_entry(c, &chan_list, global_l) {
4706 struct sock *sk = c->sk;
4708 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
4709 batostr(&bt_sk(sk)->src),
4710 batostr(&bt_sk(sk)->dst),
4711 c->state, __le16_to_cpu(c->psm),
4712 c->scid, c->dcid, c->imtu, c->omtu,
4713 c->sec_level, c->mode);
4716 read_unlock_bh(&chan_list_lock);
4721 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4723 return single_open(file, l2cap_debugfs_show, inode->i_private);
4726 static const struct file_operations l2cap_debugfs_fops = {
4727 .open = l2cap_debugfs_open,
4729 .llseek = seq_lseek,
4730 .release = single_release,
4733 static struct dentry *l2cap_debugfs;
4735 int __init l2cap_init(void)
4739 err = l2cap_init_sockets();
4744 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4745 bt_debugfs, NULL, &l2cap_debugfs_fops);
4747 BT_ERR("Failed to create L2CAP debug file");
4753 void l2cap_exit(void)
4755 debugfs_remove(l2cap_debugfs);
4756 l2cap_cleanup_sockets();
4759 module_param(disable_ertm, bool, 0644);
4760 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
projects / mv-sheeva.git / blob