2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2 as
11 published by the Free Software Foundation;
13 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
14 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
16 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
17 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
18 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
20 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
23 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
24 SOFTWARE IS DISCLAIMED.
27 /* Bluetooth L2CAP core. */
29 #include <linux/module.h>
31 #include <linux/types.h>
32 #include <linux/capability.h>
33 #include <linux/errno.h>
34 #include <linux/kernel.h>
35 #include <linux/sched.h>
36 #include <linux/slab.h>
37 #include <linux/poll.h>
38 #include <linux/fcntl.h>
39 #include <linux/init.h>
40 #include <linux/interrupt.h>
41 #include <linux/socket.h>
42 #include <linux/skbuff.h>
43 #include <linux/list.h>
44 #include <linux/device.h>
45 #include <linux/debugfs.h>
46 #include <linux/seq_file.h>
47 #include <linux/uaccess.h>
48 #include <linux/crc16.h>
51 #include <asm/system.h>
52 #include <asm/unaligned.h>
54 #include <net/bluetooth/bluetooth.h>
55 #include <net/bluetooth/hci_core.h>
56 #include <net/bluetooth/l2cap.h>
57 #include <net/bluetooth/smp.h>
61 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
62 static u8 l2cap_fixed_chan[8] = { 0x02, };
64 static LIST_HEAD(chan_list);
65 static DEFINE_RWLOCK(chan_list_lock);
67 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
68 u8 code, u8 ident, u16 dlen, void *data);
69 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
72 static void l2cap_send_disconn_req(struct l2cap_conn *conn,
73 struct l2cap_chan *chan, int err);
75 static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
77 /* ---- L2CAP channels ---- */
79 static inline void chan_hold(struct l2cap_chan *c)
81 atomic_inc(&c->refcnt);
84 static inline void chan_put(struct l2cap_chan *c)
86 if (atomic_dec_and_test(&c->refcnt))
90 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
94 list_for_each_entry(c, &conn->chan_l, list) {
102 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
104 struct l2cap_chan *c;
106 list_for_each_entry(c, &conn->chan_l, list) {
113 /* Find channel with given SCID.
114 * Returns locked socket */
115 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
117 struct l2cap_chan *c;
119 read_lock(&conn->chan_lock);
120 c = __l2cap_get_chan_by_scid(conn, cid);
123 read_unlock(&conn->chan_lock);
127 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
129 struct l2cap_chan *c;
131 list_for_each_entry(c, &conn->chan_l, list) {
132 if (c->ident == ident)
138 static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
140 struct l2cap_chan *c;
142 read_lock(&conn->chan_lock);
143 c = __l2cap_get_chan_by_ident(conn, ident);
146 read_unlock(&conn->chan_lock);
150 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
152 struct l2cap_chan *c;
154 list_for_each_entry(c, &chan_list, global_l) {
155 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
164 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
168 write_lock_bh(&chan_list_lock);
170 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
183 for (p = 0x1001; p < 0x1100; p += 2)
184 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
185 chan->psm = cpu_to_le16(p);
186 chan->sport = cpu_to_le16(p);
193 write_unlock_bh(&chan_list_lock);
197 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
199 write_lock_bh(&chan_list_lock);
203 write_unlock_bh(&chan_list_lock);
208 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
210 u16 cid = L2CAP_CID_DYN_START;
212 for (; cid < L2CAP_CID_DYN_END; cid++) {
213 if (!__l2cap_get_chan_by_scid(conn, cid))
220 static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
222 BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
224 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
228 static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
230 BT_DBG("chan %p state %d", chan, chan->state);
232 if (timer_pending(timer) && del_timer(timer))
236 static void l2cap_state_change(struct l2cap_chan *chan, int state)
239 chan->ops->state_change(chan->data, state);
242 static void l2cap_chan_timeout(unsigned long arg)
244 struct l2cap_chan *chan = (struct l2cap_chan *) arg;
245 struct sock *sk = chan->sk;
248 BT_DBG("chan %p state %d", chan, chan->state);
252 if (sock_owned_by_user(sk)) {
253 /* sk is owned by user. Try again later */
254 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
260 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
261 reason = ECONNREFUSED;
262 else if (chan->state == BT_CONNECT &&
263 chan->sec_level != BT_SECURITY_SDP)
264 reason = ECONNREFUSED;
268 l2cap_chan_close(chan, reason);
272 chan->ops->close(chan->data);
276 struct l2cap_chan *l2cap_chan_create(struct sock *sk)
278 struct l2cap_chan *chan;
280 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
286 write_lock_bh(&chan_list_lock);
287 list_add(&chan->global_l, &chan_list);
288 write_unlock_bh(&chan_list_lock);
290 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);
292 chan->state = BT_OPEN;
294 atomic_set(&chan->refcnt, 1);
299 void l2cap_chan_destroy(struct l2cap_chan *chan)
301 write_lock_bh(&chan_list_lock);
302 list_del(&chan->global_l);
303 write_unlock_bh(&chan_list_lock);
308 static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
310 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
311 chan->psm, chan->dcid);
313 conn->disc_reason = 0x13;
317 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
318 if (conn->hcon->type == LE_LINK) {
320 chan->omtu = L2CAP_LE_DEFAULT_MTU;
321 chan->scid = L2CAP_CID_LE_DATA;
322 chan->dcid = L2CAP_CID_LE_DATA;
324 /* Alloc CID for connection-oriented socket */
325 chan->scid = l2cap_alloc_cid(conn);
326 chan->omtu = L2CAP_DEFAULT_MTU;
328 } else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
329 /* Connectionless socket */
330 chan->scid = L2CAP_CID_CONN_LESS;
331 chan->dcid = L2CAP_CID_CONN_LESS;
332 chan->omtu = L2CAP_DEFAULT_MTU;
334 /* Raw socket can send/recv signalling messages only */
335 chan->scid = L2CAP_CID_SIGNALING;
336 chan->dcid = L2CAP_CID_SIGNALING;
337 chan->omtu = L2CAP_DEFAULT_MTU;
342 list_add(&chan->list, &conn->chan_l);
346 * Must be called on the locked socket. */
347 static void l2cap_chan_del(struct l2cap_chan *chan, int err)
349 struct sock *sk = chan->sk;
350 struct l2cap_conn *conn = chan->conn;
351 struct sock *parent = bt_sk(sk)->parent;
353 __clear_chan_timer(chan);
355 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
358 /* Delete from channel list */
359 write_lock_bh(&conn->chan_lock);
360 list_del(&chan->list);
361 write_unlock_bh(&conn->chan_lock);
365 hci_conn_put(conn->hcon);
368 l2cap_state_change(chan, BT_CLOSED);
369 sock_set_flag(sk, SOCK_ZAPPED);
375 bt_accept_unlink(sk);
376 parent->sk_data_ready(parent, 0);
378 sk->sk_state_change(sk);
380 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
381 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
384 skb_queue_purge(&chan->tx_q);
386 if (chan->mode == L2CAP_MODE_ERTM) {
387 struct srej_list *l, *tmp;
389 __clear_retrans_timer(chan);
390 __clear_monitor_timer(chan);
391 __clear_ack_timer(chan);
393 skb_queue_purge(&chan->srej_q);
395 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
402 static void l2cap_chan_cleanup_listen(struct sock *parent)
406 BT_DBG("parent %p", parent);
408 /* Close not yet accepted channels */
409 while ((sk = bt_accept_dequeue(parent, NULL))) {
410 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
411 __clear_chan_timer(chan);
413 l2cap_chan_close(chan, ECONNRESET);
415 chan->ops->close(chan->data);
419 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
421 struct l2cap_conn *conn = chan->conn;
422 struct sock *sk = chan->sk;
424 BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
426 switch (chan->state) {
428 l2cap_chan_cleanup_listen(sk);
430 l2cap_state_change(chan, BT_CLOSED);
431 sock_set_flag(sk, SOCK_ZAPPED);
436 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
437 conn->hcon->type == ACL_LINK) {
438 __clear_chan_timer(chan);
439 __set_chan_timer(chan, sk->sk_sndtimeo);
440 l2cap_send_disconn_req(conn, chan, reason);
442 l2cap_chan_del(chan, reason);
446 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
447 conn->hcon->type == ACL_LINK) {
448 struct l2cap_conn_rsp rsp;
451 if (bt_sk(sk)->defer_setup)
452 result = L2CAP_CR_SEC_BLOCK;
454 result = L2CAP_CR_BAD_PSM;
455 l2cap_state_change(chan, BT_DISCONN);
457 rsp.scid = cpu_to_le16(chan->dcid);
458 rsp.dcid = cpu_to_le16(chan->scid);
459 rsp.result = cpu_to_le16(result);
460 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
461 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
465 l2cap_chan_del(chan, reason);
470 l2cap_chan_del(chan, reason);
474 sock_set_flag(sk, SOCK_ZAPPED);
479 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
481 if (chan->chan_type == L2CAP_CHAN_RAW) {
482 switch (chan->sec_level) {
483 case BT_SECURITY_HIGH:
484 return HCI_AT_DEDICATED_BONDING_MITM;
485 case BT_SECURITY_MEDIUM:
486 return HCI_AT_DEDICATED_BONDING;
488 return HCI_AT_NO_BONDING;
490 } else if (chan->psm == cpu_to_le16(0x0001)) {
491 if (chan->sec_level == BT_SECURITY_LOW)
492 chan->sec_level = BT_SECURITY_SDP;
494 if (chan->sec_level == BT_SECURITY_HIGH)
495 return HCI_AT_NO_BONDING_MITM;
497 return HCI_AT_NO_BONDING;
499 switch (chan->sec_level) {
500 case BT_SECURITY_HIGH:
501 return HCI_AT_GENERAL_BONDING_MITM;
502 case BT_SECURITY_MEDIUM:
503 return HCI_AT_GENERAL_BONDING;
505 return HCI_AT_NO_BONDING;
510 /* Service level security */
511 static inline int l2cap_check_security(struct l2cap_chan *chan)
513 struct l2cap_conn *conn = chan->conn;
516 auth_type = l2cap_get_auth_type(chan);
518 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
521 static u8 l2cap_get_ident(struct l2cap_conn *conn)
525 /* Get next available identificator.
526 * 1 - 128 are used by kernel.
527 * 129 - 199 are reserved.
528 * 200 - 254 are used by utilities like l2ping, etc.
531 spin_lock_bh(&conn->lock);
533 if (++conn->tx_ident > 128)
538 spin_unlock_bh(&conn->lock);
543 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
545 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
548 BT_DBG("code 0x%2.2x", code);
553 if (lmp_no_flush_capable(conn->hcon->hdev))
554 flags = ACL_START_NO_FLUSH;
558 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
560 hci_send_acl(conn->hcon, skb, flags);
563 static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
566 struct l2cap_hdr *lh;
567 struct l2cap_conn *conn = chan->conn;
568 int count, hlen = L2CAP_HDR_SIZE + 2;
571 if (chan->state != BT_CONNECTED)
574 if (chan->fcs == L2CAP_FCS_CRC16)
577 BT_DBG("chan %p, control 0x%2.2x", chan, control);
579 count = min_t(unsigned int, conn->mtu, hlen);
580 control |= L2CAP_CTRL_FRAME_TYPE;
582 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
583 control |= L2CAP_CTRL_FINAL;
585 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
586 control |= L2CAP_CTRL_POLL;
588 skb = bt_skb_alloc(count, GFP_ATOMIC);
592 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
593 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
594 lh->cid = cpu_to_le16(chan->dcid);
595 put_unaligned_le16(control, skb_put(skb, 2));
597 if (chan->fcs == L2CAP_FCS_CRC16) {
598 u16 fcs = crc16(0, (u8 *)lh, count - 2);
599 put_unaligned_le16(fcs, skb_put(skb, 2));
602 if (lmp_no_flush_capable(conn->hcon->hdev))
603 flags = ACL_START_NO_FLUSH;
607 bt_cb(skb)->force_active = chan->force_active;
609 hci_send_acl(chan->conn->hcon, skb, flags);
612 static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
614 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
615 control |= L2CAP_SUPER_RCV_NOT_READY;
616 set_bit(CONN_RNR_SENT, &chan->conn_state);
618 control |= L2CAP_SUPER_RCV_READY;
620 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
622 l2cap_send_sframe(chan, control);
625 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
627 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
630 static void l2cap_do_start(struct l2cap_chan *chan)
632 struct l2cap_conn *conn = chan->conn;
634 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
635 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
638 if (l2cap_check_security(chan) &&
639 __l2cap_no_conn_pending(chan)) {
640 struct l2cap_conn_req req;
641 req.scid = cpu_to_le16(chan->scid);
644 chan->ident = l2cap_get_ident(conn);
645 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
647 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
651 struct l2cap_info_req req;
652 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
654 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
655 conn->info_ident = l2cap_get_ident(conn);
657 mod_timer(&conn->info_timer, jiffies +
658 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
660 l2cap_send_cmd(conn, conn->info_ident,
661 L2CAP_INFO_REQ, sizeof(req), &req);
665 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
667 u32 local_feat_mask = l2cap_feat_mask;
669 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
672 case L2CAP_MODE_ERTM:
673 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
674 case L2CAP_MODE_STREAMING:
675 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
681 static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
684 struct l2cap_disconn_req req;
691 if (chan->mode == L2CAP_MODE_ERTM) {
692 __clear_retrans_timer(chan);
693 __clear_monitor_timer(chan);
694 __clear_ack_timer(chan);
697 req.dcid = cpu_to_le16(chan->dcid);
698 req.scid = cpu_to_le16(chan->scid);
699 l2cap_send_cmd(conn, l2cap_get_ident(conn),
700 L2CAP_DISCONN_REQ, sizeof(req), &req);
702 l2cap_state_change(chan, BT_DISCONN);
706 /* ---- L2CAP connections ---- */
707 static void l2cap_conn_start(struct l2cap_conn *conn)
709 struct l2cap_chan *chan, *tmp;
711 BT_DBG("conn %p", conn);
713 read_lock(&conn->chan_lock);
715 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
716 struct sock *sk = chan->sk;
720 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
725 if (chan->state == BT_CONNECT) {
726 struct l2cap_conn_req req;
728 if (!l2cap_check_security(chan) ||
729 !__l2cap_no_conn_pending(chan)) {
734 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
735 && test_bit(CONF_STATE2_DEVICE,
736 &chan->conf_state)) {
737 /* l2cap_chan_close() calls list_del(chan)
738 * so release the lock */
739 read_unlock(&conn->chan_lock);
740 l2cap_chan_close(chan, ECONNRESET);
741 read_lock(&conn->chan_lock);
746 req.scid = cpu_to_le16(chan->scid);
749 chan->ident = l2cap_get_ident(conn);
750 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
752 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
755 } else if (chan->state == BT_CONNECT2) {
756 struct l2cap_conn_rsp rsp;
758 rsp.scid = cpu_to_le16(chan->dcid);
759 rsp.dcid = cpu_to_le16(chan->scid);
761 if (l2cap_check_security(chan)) {
762 if (bt_sk(sk)->defer_setup) {
763 struct sock *parent = bt_sk(sk)->parent;
764 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
765 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
767 parent->sk_data_ready(parent, 0);
770 l2cap_state_change(chan, BT_CONFIG);
771 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
772 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
775 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
776 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
779 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
782 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
783 rsp.result != L2CAP_CR_SUCCESS) {
788 set_bit(CONF_REQ_SENT, &chan->conf_state);
789 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
790 l2cap_build_conf_req(chan, buf), buf);
791 chan->num_conf_req++;
797 read_unlock(&conn->chan_lock);
800 /* Find socket with cid and source bdaddr.
801 * Returns closest match, locked.
803 static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
805 struct l2cap_chan *c, *c1 = NULL;
807 read_lock(&chan_list_lock);
809 list_for_each_entry(c, &chan_list, global_l) {
810 struct sock *sk = c->sk;
812 if (state && c->state != state)
815 if (c->scid == cid) {
817 if (!bacmp(&bt_sk(sk)->src, src)) {
818 read_unlock(&chan_list_lock);
823 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
828 read_unlock(&chan_list_lock);
833 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
835 struct sock *parent, *sk;
836 struct l2cap_chan *chan, *pchan;
840 /* Check if we have socket listening on cid */
841 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
848 bh_lock_sock(parent);
850 /* Check for backlog size */
851 if (sk_acceptq_is_full(parent)) {
852 BT_DBG("backlog full %d", parent->sk_ack_backlog);
856 chan = pchan->ops->new_connection(pchan->data);
862 write_lock_bh(&conn->chan_lock);
864 hci_conn_hold(conn->hcon);
866 bacpy(&bt_sk(sk)->src, conn->src);
867 bacpy(&bt_sk(sk)->dst, conn->dst);
869 bt_accept_enqueue(parent, sk);
871 __l2cap_chan_add(conn, chan);
873 __set_chan_timer(chan, sk->sk_sndtimeo);
875 l2cap_state_change(chan, BT_CONNECTED);
876 parent->sk_data_ready(parent, 0);
878 write_unlock_bh(&conn->chan_lock);
881 bh_unlock_sock(parent);
884 static void l2cap_chan_ready(struct sock *sk)
886 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
887 struct sock *parent = bt_sk(sk)->parent;
889 BT_DBG("sk %p, parent %p", sk, parent);
891 chan->conf_state = 0;
892 __clear_chan_timer(chan);
894 l2cap_state_change(chan, BT_CONNECTED);
895 sk->sk_state_change(sk);
898 parent->sk_data_ready(parent, 0);
901 static void l2cap_conn_ready(struct l2cap_conn *conn)
903 struct l2cap_chan *chan;
905 BT_DBG("conn %p", conn);
907 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
908 l2cap_le_conn_ready(conn);
910 if (conn->hcon->out && conn->hcon->type == LE_LINK)
911 smp_conn_security(conn, conn->hcon->pending_sec_level);
913 read_lock(&conn->chan_lock);
915 list_for_each_entry(chan, &conn->chan_l, list) {
916 struct sock *sk = chan->sk;
920 if (conn->hcon->type == LE_LINK) {
921 if (smp_conn_security(conn, chan->sec_level))
922 l2cap_chan_ready(sk);
924 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
925 __clear_chan_timer(chan);
926 l2cap_state_change(chan, BT_CONNECTED);
927 sk->sk_state_change(sk);
929 } else if (chan->state == BT_CONNECT)
930 l2cap_do_start(chan);
935 read_unlock(&conn->chan_lock);
938 /* Notify sockets that we cannot guaranty reliability anymore */
939 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
941 struct l2cap_chan *chan;
943 BT_DBG("conn %p", conn);
945 read_lock(&conn->chan_lock);
947 list_for_each_entry(chan, &conn->chan_l, list) {
948 struct sock *sk = chan->sk;
950 if (chan->force_reliable)
954 read_unlock(&conn->chan_lock);
957 static void l2cap_info_timeout(unsigned long arg)
959 struct l2cap_conn *conn = (void *) arg;
961 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
962 conn->info_ident = 0;
964 l2cap_conn_start(conn);
967 static void l2cap_conn_del(struct hci_conn *hcon, int err)
969 struct l2cap_conn *conn = hcon->l2cap_data;
970 struct l2cap_chan *chan, *l;
976 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
978 kfree_skb(conn->rx_skb);
981 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
984 l2cap_chan_del(chan, err);
986 chan->ops->close(chan->data);
989 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
990 del_timer_sync(&conn->info_timer);
992 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
993 del_timer(&conn->security_timer);
994 smp_chan_destroy(conn);
997 hcon->l2cap_data = NULL;
1001 static void security_timeout(unsigned long arg)
1003 struct l2cap_conn *conn = (void *) arg;
1005 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1008 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1010 struct l2cap_conn *conn = hcon->l2cap_data;
1015 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1019 hcon->l2cap_data = conn;
1022 BT_DBG("hcon %p conn %p", hcon, conn);
1024 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1025 conn->mtu = hcon->hdev->le_mtu;
1027 conn->mtu = hcon->hdev->acl_mtu;
1029 conn->src = &hcon->hdev->bdaddr;
1030 conn->dst = &hcon->dst;
1032 conn->feat_mask = 0;
1034 spin_lock_init(&conn->lock);
1035 rwlock_init(&conn->chan_lock);
1037 INIT_LIST_HEAD(&conn->chan_l);
1039 if (hcon->type == LE_LINK)
1040 setup_timer(&conn->security_timer, security_timeout,
1041 (unsigned long) conn);
1043 setup_timer(&conn->info_timer, l2cap_info_timeout,
1044 (unsigned long) conn);
1046 conn->disc_reason = 0x13;
1051 static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1053 write_lock_bh(&conn->chan_lock);
1054 __l2cap_chan_add(conn, chan);
1055 write_unlock_bh(&conn->chan_lock);
1058 /* ---- Socket interface ---- */
1060 /* Find socket with psm and source bdaddr.
1061 * Returns closest match.
1063 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1065 struct l2cap_chan *c, *c1 = NULL;
1067 read_lock(&chan_list_lock);
1069 list_for_each_entry(c, &chan_list, global_l) {
1070 struct sock *sk = c->sk;
1072 if (state && c->state != state)
1075 if (c->psm == psm) {
1077 if (!bacmp(&bt_sk(sk)->src, src)) {
1078 read_unlock(&chan_list_lock);
1083 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
1088 read_unlock(&chan_list_lock);
1093 int l2cap_chan_connect(struct l2cap_chan *chan)
1095 struct sock *sk = chan->sk;
1096 bdaddr_t *src = &bt_sk(sk)->src;
1097 bdaddr_t *dst = &bt_sk(sk)->dst;
1098 struct l2cap_conn *conn;
1099 struct hci_conn *hcon;
1100 struct hci_dev *hdev;
1104 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
1107 hdev = hci_get_route(dst, src);
1109 return -EHOSTUNREACH;
1111 hci_dev_lock_bh(hdev);
1113 auth_type = l2cap_get_auth_type(chan);
1115 if (chan->dcid == L2CAP_CID_LE_DATA)
1116 hcon = hci_connect(hdev, LE_LINK, dst,
1117 chan->sec_level, auth_type);
1119 hcon = hci_connect(hdev, ACL_LINK, dst,
1120 chan->sec_level, auth_type);
1123 err = PTR_ERR(hcon);
1127 conn = l2cap_conn_add(hcon, 0);
1134 /* Update source addr of the socket */
1135 bacpy(src, conn->src);
1137 l2cap_chan_add(conn, chan);
1139 l2cap_state_change(chan, BT_CONNECT);
1140 __set_chan_timer(chan, sk->sk_sndtimeo);
1142 if (hcon->state == BT_CONNECTED) {
1143 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1144 __clear_chan_timer(chan);
1145 if (l2cap_check_security(chan))
1146 l2cap_state_change(chan, BT_CONNECTED);
1148 l2cap_do_start(chan);
1154 hci_dev_unlock_bh(hdev);
1159 int __l2cap_wait_ack(struct sock *sk)
1161 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1162 DECLARE_WAITQUEUE(wait, current);
1166 add_wait_queue(sk_sleep(sk), &wait);
1167 set_current_state(TASK_INTERRUPTIBLE);
1168 while (chan->unacked_frames > 0 && chan->conn) {
1172 if (signal_pending(current)) {
1173 err = sock_intr_errno(timeo);
1178 timeo = schedule_timeout(timeo);
1180 set_current_state(TASK_INTERRUPTIBLE);
1182 err = sock_error(sk);
1186 set_current_state(TASK_RUNNING);
1187 remove_wait_queue(sk_sleep(sk), &wait);
1191 static void l2cap_monitor_timeout(unsigned long arg)
1193 struct l2cap_chan *chan = (void *) arg;
1194 struct sock *sk = chan->sk;
1196 BT_DBG("chan %p", chan);
1199 if (chan->retry_count >= chan->remote_max_tx) {
1200 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1205 chan->retry_count++;
1206 __set_monitor_timer(chan);
1208 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1212 static void l2cap_retrans_timeout(unsigned long arg)
1214 struct l2cap_chan *chan = (void *) arg;
1215 struct sock *sk = chan->sk;
1217 BT_DBG("chan %p", chan);
1220 chan->retry_count = 1;
1221 __set_monitor_timer(chan);
1223 set_bit(CONN_WAIT_F, &chan->conn_state);
1225 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1229 static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1231 struct sk_buff *skb;
1233 while ((skb = skb_peek(&chan->tx_q)) &&
1234 chan->unacked_frames) {
1235 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1238 skb = skb_dequeue(&chan->tx_q);
1241 chan->unacked_frames--;
1244 if (!chan->unacked_frames)
1245 __clear_retrans_timer(chan);
1248 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1250 struct hci_conn *hcon = chan->conn->hcon;
1253 BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
1255 if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
1256 flags = ACL_START_NO_FLUSH;
1260 bt_cb(skb)->force_active = chan->force_active;
1261 hci_send_acl(hcon, skb, flags);
1264 static void l2cap_streaming_send(struct l2cap_chan *chan)
1266 struct sk_buff *skb;
1269 while ((skb = skb_dequeue(&chan->tx_q))) {
1270 control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
1271 control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1272 put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
1274 if (chan->fcs == L2CAP_FCS_CRC16) {
1275 fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
1276 put_unaligned_le16(fcs, skb->data + skb->len - 2);
1279 l2cap_do_send(chan, skb);
1281 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1285 static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
1287 struct sk_buff *skb, *tx_skb;
1290 skb = skb_peek(&chan->tx_q);
1295 if (bt_cb(skb)->tx_seq == tx_seq)
1298 if (skb_queue_is_last(&chan->tx_q, skb))
1301 } while ((skb = skb_queue_next(&chan->tx_q, skb)));
1303 if (chan->remote_max_tx &&
1304 bt_cb(skb)->retries == chan->remote_max_tx) {
1305 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1309 tx_skb = skb_clone(skb, GFP_ATOMIC);
1310 bt_cb(skb)->retries++;
1311 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1312 control &= L2CAP_CTRL_SAR;
1314 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1315 control |= L2CAP_CTRL_FINAL;
1317 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1318 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1320 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1322 if (chan->fcs == L2CAP_FCS_CRC16) {
1323 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1324 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1327 l2cap_do_send(chan, tx_skb);
1330 static int l2cap_ertm_send(struct l2cap_chan *chan)
1332 struct sk_buff *skb, *tx_skb;
1336 if (chan->state != BT_CONNECTED)
1339 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1341 if (chan->remote_max_tx &&
1342 bt_cb(skb)->retries == chan->remote_max_tx) {
1343 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1347 tx_skb = skb_clone(skb, GFP_ATOMIC);
1349 bt_cb(skb)->retries++;
1351 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1352 control &= L2CAP_CTRL_SAR;
1354 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1355 control |= L2CAP_CTRL_FINAL;
1357 control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1358 | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1359 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1362 if (chan->fcs == L2CAP_FCS_CRC16) {
1363 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1364 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1367 l2cap_do_send(chan, tx_skb);
1369 __set_retrans_timer(chan);
1371 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1372 chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1374 if (bt_cb(skb)->retries == 1)
1375 chan->unacked_frames++;
1377 chan->frames_sent++;
1379 if (skb_queue_is_last(&chan->tx_q, skb))
1380 chan->tx_send_head = NULL;
1382 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1390 static int l2cap_retransmit_frames(struct l2cap_chan *chan)
1394 if (!skb_queue_empty(&chan->tx_q))
1395 chan->tx_send_head = chan->tx_q.next;
1397 chan->next_tx_seq = chan->expected_ack_seq;
1398 ret = l2cap_ertm_send(chan);
1402 static void l2cap_send_ack(struct l2cap_chan *chan)
1406 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1408 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
1409 control |= L2CAP_SUPER_RCV_NOT_READY;
1410 set_bit(CONN_RNR_SENT, &chan->conn_state);
1411 l2cap_send_sframe(chan, control);
1415 if (l2cap_ertm_send(chan) > 0)
1418 control |= L2CAP_SUPER_RCV_READY;
1419 l2cap_send_sframe(chan, control);
1422 static void l2cap_send_srejtail(struct l2cap_chan *chan)
1424 struct srej_list *tail;
1427 control = L2CAP_SUPER_SELECT_REJECT;
1428 control |= L2CAP_CTRL_FINAL;
1430 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
1431 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1433 l2cap_send_sframe(chan, control);
1436 static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1438 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1439 struct sk_buff **frag;
1442 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1448 /* Continuation fragments (no L2CAP header) */
1449 frag = &skb_shinfo(skb)->frag_list;
1451 count = min_t(unsigned int, conn->mtu, len);
1453 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1456 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1462 frag = &(*frag)->next;
1468 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1470 struct sock *sk = chan->sk;
1471 struct l2cap_conn *conn = chan->conn;
1472 struct sk_buff *skb;
1473 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1474 struct l2cap_hdr *lh;
1476 BT_DBG("sk %p len %d", sk, (int)len);
1478 count = min_t(unsigned int, (conn->mtu - hlen), len);
1479 skb = bt_skb_send_alloc(sk, count + hlen,
1480 msg->msg_flags & MSG_DONTWAIT, &err);
1482 return ERR_PTR(err);
1484 /* Create L2CAP header */
1485 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1486 lh->cid = cpu_to_le16(chan->dcid);
1487 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1488 put_unaligned_le16(chan->psm, skb_put(skb, 2));
1490 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1491 if (unlikely(err < 0)) {
1493 return ERR_PTR(err);
1498 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1500 struct sock *sk = chan->sk;
1501 struct l2cap_conn *conn = chan->conn;
1502 struct sk_buff *skb;
1503 int err, count, hlen = L2CAP_HDR_SIZE;
1504 struct l2cap_hdr *lh;
1506 BT_DBG("sk %p len %d", sk, (int)len);
1508 count = min_t(unsigned int, (conn->mtu - hlen), len);
1509 skb = bt_skb_send_alloc(sk, count + hlen,
1510 msg->msg_flags & MSG_DONTWAIT, &err);
1512 return ERR_PTR(err);
1514 /* Create L2CAP header */
1515 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1516 lh->cid = cpu_to_le16(chan->dcid);
1517 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1519 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1520 if (unlikely(err < 0)) {
1522 return ERR_PTR(err);
1527 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1528 struct msghdr *msg, size_t len,
1529 u16 control, u16 sdulen)
1531 struct sock *sk = chan->sk;
1532 struct l2cap_conn *conn = chan->conn;
1533 struct sk_buff *skb;
1534 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1535 struct l2cap_hdr *lh;
1537 BT_DBG("sk %p len %d", sk, (int)len);
1540 return ERR_PTR(-ENOTCONN);
1545 if (chan->fcs == L2CAP_FCS_CRC16)
1548 count = min_t(unsigned int, (conn->mtu - hlen), len);
1549 skb = bt_skb_send_alloc(sk, count + hlen,
1550 msg->msg_flags & MSG_DONTWAIT, &err);
1552 return ERR_PTR(err);
1554 /* Create L2CAP header */
1555 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1556 lh->cid = cpu_to_le16(chan->dcid);
1557 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1558 put_unaligned_le16(control, skb_put(skb, 2));
1560 put_unaligned_le16(sdulen, skb_put(skb, 2));
1562 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1563 if (unlikely(err < 0)) {
1565 return ERR_PTR(err);
1568 if (chan->fcs == L2CAP_FCS_CRC16)
1569 put_unaligned_le16(0, skb_put(skb, 2));
1571 bt_cb(skb)->retries = 0;
1575 static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1577 struct sk_buff *skb;
1578 struct sk_buff_head sar_queue;
1582 skb_queue_head_init(&sar_queue);
1583 control = L2CAP_SDU_START;
1584 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
1586 return PTR_ERR(skb);
1588 __skb_queue_tail(&sar_queue, skb);
1589 len -= chan->remote_mps;
1590 size += chan->remote_mps;
1595 if (len > chan->remote_mps) {
1596 control = L2CAP_SDU_CONTINUE;
1597 buflen = chan->remote_mps;
1599 control = L2CAP_SDU_END;
1603 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
1605 skb_queue_purge(&sar_queue);
1606 return PTR_ERR(skb);
1609 __skb_queue_tail(&sar_queue, skb);
1613 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1614 if (chan->tx_send_head == NULL)
1615 chan->tx_send_head = sar_queue.next;
1620 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1622 struct sk_buff *skb;
1626 /* Connectionless channel */
1627 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
1628 skb = l2cap_create_connless_pdu(chan, msg, len);
1630 return PTR_ERR(skb);
1632 l2cap_do_send(chan, skb);
1636 switch (chan->mode) {
1637 case L2CAP_MODE_BASIC:
1638 /* Check outgoing MTU */
1639 if (len > chan->omtu)
1642 /* Create a basic PDU */
1643 skb = l2cap_create_basic_pdu(chan, msg, len);
1645 return PTR_ERR(skb);
1647 l2cap_do_send(chan, skb);
1651 case L2CAP_MODE_ERTM:
1652 case L2CAP_MODE_STREAMING:
1653 /* Entire SDU fits into one PDU */
1654 if (len <= chan->remote_mps) {
1655 control = L2CAP_SDU_UNSEGMENTED;
1656 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1659 return PTR_ERR(skb);
1661 __skb_queue_tail(&chan->tx_q, skb);
1663 if (chan->tx_send_head == NULL)
1664 chan->tx_send_head = skb;
1667 /* Segment SDU into multiples PDUs */
1668 err = l2cap_sar_segment_sdu(chan, msg, len);
1673 if (chan->mode == L2CAP_MODE_STREAMING) {
1674 l2cap_streaming_send(chan);
1679 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1680 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1685 err = l2cap_ertm_send(chan);
1692 BT_DBG("bad state %1.1x", chan->mode);
1699 /* Copy frame to all raw sockets on that connection */
1700 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1702 struct sk_buff *nskb;
1703 struct l2cap_chan *chan;
1705 BT_DBG("conn %p", conn);
1707 read_lock(&conn->chan_lock);
1708 list_for_each_entry(chan, &conn->chan_l, list) {
1709 struct sock *sk = chan->sk;
1710 if (chan->chan_type != L2CAP_CHAN_RAW)
1713 /* Don't send frame to the socket it came from */
1716 nskb = skb_clone(skb, GFP_ATOMIC);
1720 if (chan->ops->recv(chan->data, nskb))
1723 read_unlock(&conn->chan_lock);
1726 /* ---- L2CAP signalling commands ---- */
1727 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1728 u8 code, u8 ident, u16 dlen, void *data)
1730 struct sk_buff *skb, **frag;
1731 struct l2cap_cmd_hdr *cmd;
1732 struct l2cap_hdr *lh;
1735 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1736 conn, code, ident, dlen);
1738 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1739 count = min_t(unsigned int, conn->mtu, len);
1741 skb = bt_skb_alloc(count, GFP_ATOMIC);
1745 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1746 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1748 if (conn->hcon->type == LE_LINK)
1749 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1751 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1753 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1756 cmd->len = cpu_to_le16(dlen);
1759 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1760 memcpy(skb_put(skb, count), data, count);
1766 /* Continuation fragments (no L2CAP header) */
1767 frag = &skb_shinfo(skb)->frag_list;
1769 count = min_t(unsigned int, conn->mtu, len);
1771 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1775 memcpy(skb_put(*frag, count), data, count);
1780 frag = &(*frag)->next;
1790 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1792 struct l2cap_conf_opt *opt = *ptr;
1795 len = L2CAP_CONF_OPT_SIZE + opt->len;
1803 *val = *((u8 *) opt->val);
1807 *val = get_unaligned_le16(opt->val);
1811 *val = get_unaligned_le32(opt->val);
1815 *val = (unsigned long) opt->val;
1819 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1823 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1825 struct l2cap_conf_opt *opt = *ptr;
1827 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1834 *((u8 *) opt->val) = val;
1838 put_unaligned_le16(val, opt->val);
1842 put_unaligned_le32(val, opt->val);
1846 memcpy(opt->val, (void *) val, len);
1850 *ptr += L2CAP_CONF_OPT_SIZE + len;
1853 static void l2cap_ack_timeout(unsigned long arg)
1855 struct l2cap_chan *chan = (void *) arg;
1857 bh_lock_sock(chan->sk);
1858 l2cap_send_ack(chan);
1859 bh_unlock_sock(chan->sk);
1862 static inline void l2cap_ertm_init(struct l2cap_chan *chan)
1864 struct sock *sk = chan->sk;
1866 chan->expected_ack_seq = 0;
1867 chan->unacked_frames = 0;
1868 chan->buffer_seq = 0;
1869 chan->num_acked = 0;
1870 chan->frames_sent = 0;
1872 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
1873 (unsigned long) chan);
1874 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
1875 (unsigned long) chan);
1876 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
1878 skb_queue_head_init(&chan->srej_q);
1880 INIT_LIST_HEAD(&chan->srej_l);
1883 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
1886 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
1889 case L2CAP_MODE_STREAMING:
1890 case L2CAP_MODE_ERTM:
1891 if (l2cap_mode_supported(mode, remote_feat_mask))
1895 return L2CAP_MODE_BASIC;
1899 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1901 struct l2cap_conf_req *req = data;
1902 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1903 void *ptr = req->data;
1905 BT_DBG("chan %p", chan);
1907 if (chan->num_conf_req || chan->num_conf_rsp)
1910 switch (chan->mode) {
1911 case L2CAP_MODE_STREAMING:
1912 case L2CAP_MODE_ERTM:
1913 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
1918 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
1923 if (chan->imtu != L2CAP_DEFAULT_MTU)
1924 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
1926 switch (chan->mode) {
1927 case L2CAP_MODE_BASIC:
1928 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
1929 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
1932 rfc.mode = L2CAP_MODE_BASIC;
1934 rfc.max_transmit = 0;
1935 rfc.retrans_timeout = 0;
1936 rfc.monitor_timeout = 0;
1937 rfc.max_pdu_size = 0;
1939 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1940 (unsigned long) &rfc);
1943 case L2CAP_MODE_ERTM:
1944 rfc.mode = L2CAP_MODE_ERTM;
1945 rfc.txwin_size = chan->tx_win;
1946 rfc.max_transmit = chan->max_tx;
1947 rfc.retrans_timeout = 0;
1948 rfc.monitor_timeout = 0;
1949 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
1950 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1951 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1953 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1954 (unsigned long) &rfc);
1956 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
1959 if (chan->fcs == L2CAP_FCS_NONE ||
1960 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
1961 chan->fcs = L2CAP_FCS_NONE;
1962 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1966 case L2CAP_MODE_STREAMING:
1967 rfc.mode = L2CAP_MODE_STREAMING;
1969 rfc.max_transmit = 0;
1970 rfc.retrans_timeout = 0;
1971 rfc.monitor_timeout = 0;
1972 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
1973 if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
1974 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1976 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
1977 (unsigned long) &rfc);
1979 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
1982 if (chan->fcs == L2CAP_FCS_NONE ||
1983 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
1984 chan->fcs = L2CAP_FCS_NONE;
1985 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1990 req->dcid = cpu_to_le16(chan->dcid);
1991 req->flags = cpu_to_le16(0);
1996 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1998 struct l2cap_conf_rsp *rsp = data;
1999 void *ptr = rsp->data;
2000 void *req = chan->conf_req;
2001 int len = chan->conf_len;
2002 int type, hint, olen;
2004 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2005 u16 mtu = L2CAP_DEFAULT_MTU;
2006 u16 result = L2CAP_CONF_SUCCESS;
2008 BT_DBG("chan %p", chan);
2010 while (len >= L2CAP_CONF_OPT_SIZE) {
2011 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
2013 hint = type & L2CAP_CONF_HINT;
2014 type &= L2CAP_CONF_MASK;
2017 case L2CAP_CONF_MTU:
2021 case L2CAP_CONF_FLUSH_TO:
2022 chan->flush_to = val;
2025 case L2CAP_CONF_QOS:
2028 case L2CAP_CONF_RFC:
2029 if (olen == sizeof(rfc))
2030 memcpy(&rfc, (void *) val, olen);
2033 case L2CAP_CONF_FCS:
2034 if (val == L2CAP_FCS_NONE)
2035 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
2043 result = L2CAP_CONF_UNKNOWN;
2044 *((u8 *) ptr++) = type;
2049 if (chan->num_conf_rsp || chan->num_conf_req > 1)
2052 switch (chan->mode) {
2053 case L2CAP_MODE_STREAMING:
2054 case L2CAP_MODE_ERTM:
2055 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
2056 chan->mode = l2cap_select_mode(rfc.mode,
2057 chan->conn->feat_mask);
2061 if (chan->mode != rfc.mode)
2062 return -ECONNREFUSED;
2068 if (chan->mode != rfc.mode) {
2069 result = L2CAP_CONF_UNACCEPT;
2070 rfc.mode = chan->mode;
2072 if (chan->num_conf_rsp == 1)
2073 return -ECONNREFUSED;
2075 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2076 sizeof(rfc), (unsigned long) &rfc);
2080 if (result == L2CAP_CONF_SUCCESS) {
2081 /* Configure output options and let the other side know
2082 * which ones we don't like. */
2084 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2085 result = L2CAP_CONF_UNACCEPT;
2088 set_bit(CONF_MTU_DONE, &chan->conf_state);
2090 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
2093 case L2CAP_MODE_BASIC:
2094 chan->fcs = L2CAP_FCS_NONE;
2095 set_bit(CONF_MODE_DONE, &chan->conf_state);
2098 case L2CAP_MODE_ERTM:
2099 chan->remote_tx_win = rfc.txwin_size;
2100 chan->remote_max_tx = rfc.max_transmit;
2102 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2103 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
2105 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
2107 rfc.retrans_timeout =
2108 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2109 rfc.monitor_timeout =
2110 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
2112 set_bit(CONF_MODE_DONE, &chan->conf_state);
2114 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2115 sizeof(rfc), (unsigned long) &rfc);
2119 case L2CAP_MODE_STREAMING:
2120 if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
2121 rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
2123 chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
2125 set_bit(CONF_MODE_DONE, &chan->conf_state);
2127 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2128 sizeof(rfc), (unsigned long) &rfc);
2133 result = L2CAP_CONF_UNACCEPT;
2135 memset(&rfc, 0, sizeof(rfc));
2136 rfc.mode = chan->mode;
2139 if (result == L2CAP_CONF_SUCCESS)
2140 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2142 rsp->scid = cpu_to_le16(chan->dcid);
2143 rsp->result = cpu_to_le16(result);
2144 rsp->flags = cpu_to_le16(0x0000);
2149 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
2151 struct l2cap_conf_req *req = data;
2152 void *ptr = req->data;
2155 struct l2cap_conf_rfc rfc;
2157 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
2159 while (len >= L2CAP_CONF_OPT_SIZE) {
2160 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2163 case L2CAP_CONF_MTU:
2164 if (val < L2CAP_DEFAULT_MIN_MTU) {
2165 *result = L2CAP_CONF_UNACCEPT;
2166 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
2169 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2172 case L2CAP_CONF_FLUSH_TO:
2173 chan->flush_to = val;
2174 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2178 case L2CAP_CONF_RFC:
2179 if (olen == sizeof(rfc))
2180 memcpy(&rfc, (void *)val, olen);
2182 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2183 rfc.mode != chan->mode)
2184 return -ECONNREFUSED;
2188 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2189 sizeof(rfc), (unsigned long) &rfc);
2194 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
2195 return -ECONNREFUSED;
2197 chan->mode = rfc.mode;
2199 if (*result == L2CAP_CONF_SUCCESS) {
2201 case L2CAP_MODE_ERTM:
2202 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2203 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2204 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2206 case L2CAP_MODE_STREAMING:
2207 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2211 req->dcid = cpu_to_le16(chan->dcid);
2212 req->flags = cpu_to_le16(0x0000);
2217 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
2219 struct l2cap_conf_rsp *rsp = data;
2220 void *ptr = rsp->data;
2222 BT_DBG("chan %p", chan);
2224 rsp->scid = cpu_to_le16(chan->dcid);
2225 rsp->result = cpu_to_le16(result);
2226 rsp->flags = cpu_to_le16(flags);
2231 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2233 struct l2cap_conn_rsp rsp;
2234 struct l2cap_conn *conn = chan->conn;
2237 rsp.scid = cpu_to_le16(chan->dcid);
2238 rsp.dcid = cpu_to_le16(chan->scid);
2239 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2240 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2241 l2cap_send_cmd(conn, chan->ident,
2242 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2244 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2247 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2248 l2cap_build_conf_req(chan, buf), buf);
2249 chan->num_conf_req++;
2252 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
2256 struct l2cap_conf_rfc rfc;
2258 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
2260 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
2263 while (len >= L2CAP_CONF_OPT_SIZE) {
2264 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2267 case L2CAP_CONF_RFC:
2268 if (olen == sizeof(rfc))
2269 memcpy(&rfc, (void *)val, olen);
2276 case L2CAP_MODE_ERTM:
2277 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2278 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2279 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2281 case L2CAP_MODE_STREAMING:
2282 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2286 static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2288 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
2290 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
2293 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2294 cmd->ident == conn->info_ident) {
2295 del_timer(&conn->info_timer);
2297 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2298 conn->info_ident = 0;
2300 l2cap_conn_start(conn);
2306 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2308 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2309 struct l2cap_conn_rsp rsp;
2310 struct l2cap_chan *chan = NULL, *pchan;
2311 struct sock *parent, *sk = NULL;
2312 int result, status = L2CAP_CS_NO_INFO;
2314 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2315 __le16 psm = req->psm;
2317 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2319 /* Check if we have socket listening on psm */
2320 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2322 result = L2CAP_CR_BAD_PSM;
2328 bh_lock_sock(parent);
2330 /* Check if the ACL is secure enough (if not SDP) */
2331 if (psm != cpu_to_le16(0x0001) &&
2332 !hci_conn_check_link_mode(conn->hcon)) {
2333 conn->disc_reason = 0x05;
2334 result = L2CAP_CR_SEC_BLOCK;
2338 result = L2CAP_CR_NO_MEM;
2340 /* Check for backlog size */
2341 if (sk_acceptq_is_full(parent)) {
2342 BT_DBG("backlog full %d", parent->sk_ack_backlog);
2346 chan = pchan->ops->new_connection(pchan->data);
2352 write_lock_bh(&conn->chan_lock);
2354 /* Check if we already have channel with that dcid */
2355 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2356 write_unlock_bh(&conn->chan_lock);
2357 sock_set_flag(sk, SOCK_ZAPPED);
2358 chan->ops->close(chan->data);
2362 hci_conn_hold(conn->hcon);
2364 bacpy(&bt_sk(sk)->src, conn->src);
2365 bacpy(&bt_sk(sk)->dst, conn->dst);
2369 bt_accept_enqueue(parent, sk);
2371 __l2cap_chan_add(conn, chan);
2375 __set_chan_timer(chan, sk->sk_sndtimeo);
2377 chan->ident = cmd->ident;
2379 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2380 if (l2cap_check_security(chan)) {
2381 if (bt_sk(sk)->defer_setup) {
2382 l2cap_state_change(chan, BT_CONNECT2);
2383 result = L2CAP_CR_PEND;
2384 status = L2CAP_CS_AUTHOR_PEND;
2385 parent->sk_data_ready(parent, 0);
2387 l2cap_state_change(chan, BT_CONFIG);
2388 result = L2CAP_CR_SUCCESS;
2389 status = L2CAP_CS_NO_INFO;
2392 l2cap_state_change(chan, BT_CONNECT2);
2393 result = L2CAP_CR_PEND;
2394 status = L2CAP_CS_AUTHEN_PEND;
2397 l2cap_state_change(chan, BT_CONNECT2);
2398 result = L2CAP_CR_PEND;
2399 status = L2CAP_CS_NO_INFO;
2402 write_unlock_bh(&conn->chan_lock);
2405 bh_unlock_sock(parent);
2408 rsp.scid = cpu_to_le16(scid);
2409 rsp.dcid = cpu_to_le16(dcid);
2410 rsp.result = cpu_to_le16(result);
2411 rsp.status = cpu_to_le16(status);
2412 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2414 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2415 struct l2cap_info_req info;
2416 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2418 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2419 conn->info_ident = l2cap_get_ident(conn);
2421 mod_timer(&conn->info_timer, jiffies +
2422 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2424 l2cap_send_cmd(conn, conn->info_ident,
2425 L2CAP_INFO_REQ, sizeof(info), &info);
2428 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2429 result == L2CAP_CR_SUCCESS) {
2431 set_bit(CONF_REQ_SENT, &chan->conf_state);
2432 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2433 l2cap_build_conf_req(chan, buf), buf);
2434 chan->num_conf_req++;
2440 static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2442 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2443 u16 scid, dcid, result, status;
2444 struct l2cap_chan *chan;
2448 scid = __le16_to_cpu(rsp->scid);
2449 dcid = __le16_to_cpu(rsp->dcid);
2450 result = __le16_to_cpu(rsp->result);
2451 status = __le16_to_cpu(rsp->status);
2453 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2456 chan = l2cap_get_chan_by_scid(conn, scid);
2460 chan = l2cap_get_chan_by_ident(conn, cmd->ident);
2468 case L2CAP_CR_SUCCESS:
2469 l2cap_state_change(chan, BT_CONFIG);
2472 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
2474 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2477 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2478 l2cap_build_conf_req(chan, req), req);
2479 chan->num_conf_req++;
2483 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
2487 /* don't delete l2cap channel if sk is owned by user */
2488 if (sock_owned_by_user(sk)) {
2489 l2cap_state_change(chan, BT_DISCONN);
2490 __clear_chan_timer(chan);
2491 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
2495 l2cap_chan_del(chan, ECONNREFUSED);
2503 static inline void set_default_fcs(struct l2cap_chan *chan)
2505 /* FCS is enabled only in ERTM or streaming mode, if one or both
2508 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
2509 chan->fcs = L2CAP_FCS_NONE;
2510 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
2511 chan->fcs = L2CAP_FCS_CRC16;
2514 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2516 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2519 struct l2cap_chan *chan;
2523 dcid = __le16_to_cpu(req->dcid);
2524 flags = __le16_to_cpu(req->flags);
2526 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2528 chan = l2cap_get_chan_by_scid(conn, dcid);
2534 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
2535 struct l2cap_cmd_rej_cid rej;
2537 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2538 rej.scid = cpu_to_le16(chan->scid);
2539 rej.dcid = cpu_to_le16(chan->dcid);
2541 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2546 /* Reject if config buffer is too small. */
2547 len = cmd_len - sizeof(*req);
2548 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
2549 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2550 l2cap_build_conf_rsp(chan, rsp,
2551 L2CAP_CONF_REJECT, flags), rsp);
2556 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2557 chan->conf_len += len;
2559 if (flags & 0x0001) {
2560 /* Incomplete config. Send empty response. */
2561 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2562 l2cap_build_conf_rsp(chan, rsp,
2563 L2CAP_CONF_SUCCESS, 0x0001), rsp);
2567 /* Complete config. */
2568 len = l2cap_parse_conf_req(chan, rsp);
2570 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2574 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2575 chan->num_conf_rsp++;
2577 /* Reset config buffer. */
2580 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
2583 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
2584 set_default_fcs(chan);
2586 l2cap_state_change(chan, BT_CONNECTED);
2588 chan->next_tx_seq = 0;
2589 chan->expected_tx_seq = 0;
2590 skb_queue_head_init(&chan->tx_q);
2591 if (chan->mode == L2CAP_MODE_ERTM)
2592 l2cap_ertm_init(chan);
2594 l2cap_chan_ready(sk);
2598 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
2600 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2601 l2cap_build_conf_req(chan, buf), buf);
2602 chan->num_conf_req++;
2610 static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2612 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2613 u16 scid, flags, result;
2614 struct l2cap_chan *chan;
2616 int len = cmd->len - sizeof(*rsp);
2618 scid = __le16_to_cpu(rsp->scid);
2619 flags = __le16_to_cpu(rsp->flags);
2620 result = __le16_to_cpu(rsp->result);
2622 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
2623 scid, flags, result);
2625 chan = l2cap_get_chan_by_scid(conn, scid);
2632 case L2CAP_CONF_SUCCESS:
2633 l2cap_conf_rfc_get(chan, rsp->data, len);
2636 case L2CAP_CONF_UNACCEPT:
2637 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
2640 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
2641 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2645 /* throw out any old stored conf requests */
2646 result = L2CAP_CONF_SUCCESS;
2647 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2650 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2654 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2655 L2CAP_CONF_REQ, len, req);
2656 chan->num_conf_req++;
2657 if (result != L2CAP_CONF_SUCCESS)
2663 sk->sk_err = ECONNRESET;
2664 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
2665 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2672 set_bit(CONF_INPUT_DONE, &chan->conf_state);
2674 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
2675 set_default_fcs(chan);
2677 l2cap_state_change(chan, BT_CONNECTED);
2678 chan->next_tx_seq = 0;
2679 chan->expected_tx_seq = 0;
2680 skb_queue_head_init(&chan->tx_q);
2681 if (chan->mode == L2CAP_MODE_ERTM)
2682 l2cap_ertm_init(chan);
2684 l2cap_chan_ready(sk);
2692 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2694 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
2695 struct l2cap_disconn_rsp rsp;
2697 struct l2cap_chan *chan;
2700 scid = __le16_to_cpu(req->scid);
2701 dcid = __le16_to_cpu(req->dcid);
2703 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
2705 chan = l2cap_get_chan_by_scid(conn, dcid);
2711 rsp.dcid = cpu_to_le16(chan->scid);
2712 rsp.scid = cpu_to_le16(chan->dcid);
2713 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
2715 sk->sk_shutdown = SHUTDOWN_MASK;
2717 /* don't delete l2cap channel if sk is owned by user */
2718 if (sock_owned_by_user(sk)) {
2719 l2cap_state_change(chan, BT_DISCONN);
2720 __clear_chan_timer(chan);
2721 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
2726 l2cap_chan_del(chan, ECONNRESET);
2729 chan->ops->close(chan->data);
2733 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2735 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
2737 struct l2cap_chan *chan;
2740 scid = __le16_to_cpu(rsp->scid);
2741 dcid = __le16_to_cpu(rsp->dcid);
2743 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
2745 chan = l2cap_get_chan_by_scid(conn, scid);
2751 /* don't delete l2cap channel if sk is owned by user */
2752 if (sock_owned_by_user(sk)) {
2753 l2cap_state_change(chan,BT_DISCONN);
2754 __clear_chan_timer(chan);
2755 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
2760 l2cap_chan_del(chan, 0);
2763 chan->ops->close(chan->data);
2767 static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2769 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
2772 type = __le16_to_cpu(req->type);
2774 BT_DBG("type 0x%4.4x", type);
2776 if (type == L2CAP_IT_FEAT_MASK) {
2778 u32 feat_mask = l2cap_feat_mask;
2779 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2780 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2781 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2783 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2785 put_unaligned_le32(feat_mask, rsp->data);
2786 l2cap_send_cmd(conn, cmd->ident,
2787 L2CAP_INFO_RSP, sizeof(buf), buf);
2788 } else if (type == L2CAP_IT_FIXED_CHAN) {
2790 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
2791 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2792 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2793 memcpy(buf + 4, l2cap_fixed_chan, 8);
2794 l2cap_send_cmd(conn, cmd->ident,
2795 L2CAP_INFO_RSP, sizeof(buf), buf);
2797 struct l2cap_info_rsp rsp;
2798 rsp.type = cpu_to_le16(type);
2799 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
2800 l2cap_send_cmd(conn, cmd->ident,
2801 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
2807 static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2809 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
2812 type = __le16_to_cpu(rsp->type);
2813 result = __le16_to_cpu(rsp->result);
2815 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
2817 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
2818 if (cmd->ident != conn->info_ident ||
2819 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
2822 del_timer(&conn->info_timer);
2824 if (result != L2CAP_IR_SUCCESS) {
2825 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2826 conn->info_ident = 0;
2828 l2cap_conn_start(conn);
2833 if (type == L2CAP_IT_FEAT_MASK) {
2834 conn->feat_mask = get_unaligned_le32(rsp->data);
2836 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
2837 struct l2cap_info_req req;
2838 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
2840 conn->info_ident = l2cap_get_ident(conn);
2842 l2cap_send_cmd(conn, conn->info_ident,
2843 L2CAP_INFO_REQ, sizeof(req), &req);
2845 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2846 conn->info_ident = 0;
2848 l2cap_conn_start(conn);
2850 } else if (type == L2CAP_IT_FIXED_CHAN) {
2851 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2852 conn->info_ident = 0;
2854 l2cap_conn_start(conn);
2860 static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2865 if (min > max || min < 6 || max > 3200)
2868 if (to_multiplier < 10 || to_multiplier > 3200)
2871 if (max >= to_multiplier * 8)
2874 max_latency = (to_multiplier * 8 / max) - 1;
2875 if (latency > 499 || latency > max_latency)
2881 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2882 struct l2cap_cmd_hdr *cmd, u8 *data)
2884 struct hci_conn *hcon = conn->hcon;
2885 struct l2cap_conn_param_update_req *req;
2886 struct l2cap_conn_param_update_rsp rsp;
2887 u16 min, max, latency, to_multiplier, cmd_len;
2890 if (!(hcon->link_mode & HCI_LM_MASTER))
2893 cmd_len = __le16_to_cpu(cmd->len);
2894 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
2897 req = (struct l2cap_conn_param_update_req *) data;
2898 min = __le16_to_cpu(req->min);
2899 max = __le16_to_cpu(req->max);
2900 latency = __le16_to_cpu(req->latency);
2901 to_multiplier = __le16_to_cpu(req->to_multiplier);
2903 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2904 min, max, latency, to_multiplier);
2906 memset(&rsp, 0, sizeof(rsp));
2908 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
2910 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
2912 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
2914 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2918 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
2923 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2924 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2928 switch (cmd->code) {
2929 case L2CAP_COMMAND_REJ:
2930 l2cap_command_rej(conn, cmd, data);
2933 case L2CAP_CONN_REQ:
2934 err = l2cap_connect_req(conn, cmd, data);
2937 case L2CAP_CONN_RSP:
2938 err = l2cap_connect_rsp(conn, cmd, data);
2941 case L2CAP_CONF_REQ:
2942 err = l2cap_config_req(conn, cmd, cmd_len, data);
2945 case L2CAP_CONF_RSP:
2946 err = l2cap_config_rsp(conn, cmd, data);
2949 case L2CAP_DISCONN_REQ:
2950 err = l2cap_disconnect_req(conn, cmd, data);
2953 case L2CAP_DISCONN_RSP:
2954 err = l2cap_disconnect_rsp(conn, cmd, data);
2957 case L2CAP_ECHO_REQ:
2958 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
2961 case L2CAP_ECHO_RSP:
2964 case L2CAP_INFO_REQ:
2965 err = l2cap_information_req(conn, cmd, data);
2968 case L2CAP_INFO_RSP:
2969 err = l2cap_information_rsp(conn, cmd, data);
2973 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
2981 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2982 struct l2cap_cmd_hdr *cmd, u8 *data)
2984 switch (cmd->code) {
2985 case L2CAP_COMMAND_REJ:
2988 case L2CAP_CONN_PARAM_UPDATE_REQ:
2989 return l2cap_conn_param_update_req(conn, cmd, data);
2991 case L2CAP_CONN_PARAM_UPDATE_RSP:
2995 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3000 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3001 struct sk_buff *skb)
3003 u8 *data = skb->data;
3005 struct l2cap_cmd_hdr cmd;
3008 l2cap_raw_recv(conn, skb);
3010 while (len >= L2CAP_CMD_HDR_SIZE) {
3012 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3013 data += L2CAP_CMD_HDR_SIZE;
3014 len -= L2CAP_CMD_HDR_SIZE;
3016 cmd_len = le16_to_cpu(cmd.len);
3018 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
3020 if (cmd_len > len || !cmd.ident) {
3021 BT_DBG("corrupted command");
3025 if (conn->hcon->type == LE_LINK)
3026 err = l2cap_le_sig_cmd(conn, &cmd, data);
3028 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
3031 struct l2cap_cmd_rej_unk rej;
3033 BT_ERR("Wrong link type (%d)", err);
3035 /* FIXME: Map err to a valid reason */
3036 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
3037 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3047 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
3049 u16 our_fcs, rcv_fcs;
3050 int hdr_size = L2CAP_HDR_SIZE + 2;
3052 if (chan->fcs == L2CAP_FCS_CRC16) {
3053 skb_trim(skb, skb->len - 2);
3054 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3055 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3057 if (our_fcs != rcv_fcs)
3063 static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
3067 chan->frames_sent = 0;
3069 control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3071 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3072 control |= L2CAP_SUPER_RCV_NOT_READY;
3073 l2cap_send_sframe(chan, control);
3074 set_bit(CONN_RNR_SENT, &chan->conn_state);
3077 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
3078 l2cap_retransmit_frames(chan);
3080 l2cap_ertm_send(chan);
3082 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
3083 chan->frames_sent == 0) {
3084 control |= L2CAP_SUPER_RCV_READY;
3085 l2cap_send_sframe(chan, control);
3089 static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
3091 struct sk_buff *next_skb;
3092 int tx_seq_offset, next_tx_seq_offset;
3094 bt_cb(skb)->tx_seq = tx_seq;
3095 bt_cb(skb)->sar = sar;
3097 next_skb = skb_peek(&chan->srej_q);
3099 __skb_queue_tail(&chan->srej_q, skb);
3103 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
3104 if (tx_seq_offset < 0)
3105 tx_seq_offset += 64;
3108 if (bt_cb(next_skb)->tx_seq == tx_seq)
3111 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
3112 chan->buffer_seq) % 64;
3113 if (next_tx_seq_offset < 0)
3114 next_tx_seq_offset += 64;
3116 if (next_tx_seq_offset > tx_seq_offset) {
3117 __skb_queue_before(&chan->srej_q, next_skb, skb);
3121 if (skb_queue_is_last(&chan->srej_q, next_skb))
3124 } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
3126 __skb_queue_tail(&chan->srej_q, skb);
3131 static void append_skb_frag(struct sk_buff *skb,
3132 struct sk_buff *new_frag, struct sk_buff **last_frag)
3134 /* skb->len reflects data in skb as well as all fragments
3135 * skb->data_len reflects only data in fragments
3137 if (!skb_has_frag_list(skb))
3138 skb_shinfo(skb)->frag_list = new_frag;
3140 new_frag->next = NULL;
3142 (*last_frag)->next = new_frag;
3143 *last_frag = new_frag;
3145 skb->len += new_frag->len;
3146 skb->data_len += new_frag->len;
3147 skb->truesize += new_frag->truesize;
3150 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
3154 switch (control & L2CAP_CTRL_SAR) {
3155 case L2CAP_SDU_UNSEGMENTED:
3159 err = chan->ops->recv(chan->data, skb);
3162 case L2CAP_SDU_START:
3166 chan->sdu_len = get_unaligned_le16(skb->data);
3169 if (chan->sdu_len > chan->imtu) {
3174 if (skb->len >= chan->sdu_len)
3178 chan->sdu_last_frag = skb;
3184 case L2CAP_SDU_CONTINUE:
3188 append_skb_frag(chan->sdu, skb,
3189 &chan->sdu_last_frag);
3192 if (chan->sdu->len >= chan->sdu_len)
3202 append_skb_frag(chan->sdu, skb,
3203 &chan->sdu_last_frag);
3206 if (chan->sdu->len != chan->sdu_len)
3209 err = chan->ops->recv(chan->data, chan->sdu);
3212 /* Reassembly complete */
3214 chan->sdu_last_frag = NULL;
3222 kfree_skb(chan->sdu);
3224 chan->sdu_last_frag = NULL;
3231 static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
3235 BT_DBG("chan %p, Enter local busy", chan);
3237 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3239 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3240 control |= L2CAP_SUPER_RCV_NOT_READY;
3241 l2cap_send_sframe(chan, control);
3243 set_bit(CONN_RNR_SENT, &chan->conn_state);
3245 __clear_ack_timer(chan);
3248 static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3252 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3255 control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3256 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3257 l2cap_send_sframe(chan, control);
3258 chan->retry_count = 1;
3260 __clear_retrans_timer(chan);
3261 __set_monitor_timer(chan);
3263 set_bit(CONN_WAIT_F, &chan->conn_state);
3266 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3267 clear_bit(CONN_RNR_SENT, &chan->conn_state);
3269 BT_DBG("chan %p, Exit local busy", chan);
3272 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
3274 if (chan->mode == L2CAP_MODE_ERTM) {
3276 l2cap_ertm_enter_local_busy(chan);
3278 l2cap_ertm_exit_local_busy(chan);
3282 static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
3284 struct sk_buff *skb;
3287 while ((skb = skb_peek(&chan->srej_q)) &&
3288 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3291 if (bt_cb(skb)->tx_seq != tx_seq)
3294 skb = skb_dequeue(&chan->srej_q);
3295 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3296 err = l2cap_reassemble_sdu(chan, skb, control);
3299 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3303 chan->buffer_seq_srej =
3304 (chan->buffer_seq_srej + 1) % 64;
3305 tx_seq = (tx_seq + 1) % 64;
3309 static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
3311 struct srej_list *l, *tmp;
3314 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
3315 if (l->tx_seq == tx_seq) {
3320 control = L2CAP_SUPER_SELECT_REJECT;
3321 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3322 l2cap_send_sframe(chan, control);
3324 list_add_tail(&l->list, &chan->srej_l);
3328 static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
3330 struct srej_list *new;
3333 while (tx_seq != chan->expected_tx_seq) {
3334 control = L2CAP_SUPER_SELECT_REJECT;
3335 control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3336 l2cap_send_sframe(chan, control);
3338 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3339 new->tx_seq = chan->expected_tx_seq;
3340 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3341 list_add_tail(&new->list, &chan->srej_l);
3343 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3346 static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
3348 u8 tx_seq = __get_txseq(rx_control);
3349 u8 req_seq = __get_reqseq(rx_control);
3350 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
3351 int tx_seq_offset, expected_tx_seq_offset;
3352 int num_to_ack = (chan->tx_win/6) + 1;
3355 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
3356 tx_seq, rx_control);
3358 if (L2CAP_CTRL_FINAL & rx_control &&
3359 test_bit(CONN_WAIT_F, &chan->conn_state)) {
3360 __clear_monitor_timer(chan);
3361 if (chan->unacked_frames > 0)
3362 __set_retrans_timer(chan);
3363 clear_bit(CONN_WAIT_F, &chan->conn_state);
3366 chan->expected_ack_seq = req_seq;
3367 l2cap_drop_acked_frames(chan);
3369 tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
3370 if (tx_seq_offset < 0)
3371 tx_seq_offset += 64;
3373 /* invalid tx_seq */
3374 if (tx_seq_offset >= chan->tx_win) {
3375 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3379 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
3382 if (tx_seq == chan->expected_tx_seq)
3385 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3386 struct srej_list *first;
3388 first = list_first_entry(&chan->srej_l,
3389 struct srej_list, list);
3390 if (tx_seq == first->tx_seq) {
3391 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3392 l2cap_check_srej_gap(chan, tx_seq);
3394 list_del(&first->list);
3397 if (list_empty(&chan->srej_l)) {
3398 chan->buffer_seq = chan->buffer_seq_srej;
3399 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
3400 l2cap_send_ack(chan);
3401 BT_DBG("chan %p, Exit SREJ_SENT", chan);
3404 struct srej_list *l;
3406 /* duplicated tx_seq */
3407 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
3410 list_for_each_entry(l, &chan->srej_l, list) {
3411 if (l->tx_seq == tx_seq) {
3412 l2cap_resend_srejframe(chan, tx_seq);
3416 l2cap_send_srejframe(chan, tx_seq);
3419 expected_tx_seq_offset =
3420 (chan->expected_tx_seq - chan->buffer_seq) % 64;
3421 if (expected_tx_seq_offset < 0)
3422 expected_tx_seq_offset += 64;
3424 /* duplicated tx_seq */
3425 if (tx_seq_offset < expected_tx_seq_offset)
3428 set_bit(CONN_SREJ_SENT, &chan->conn_state);
3430 BT_DBG("chan %p, Enter SREJ", chan);
3432 INIT_LIST_HEAD(&chan->srej_l);
3433 chan->buffer_seq_srej = chan->buffer_seq;
3435 __skb_queue_head_init(&chan->srej_q);
3436 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3438 set_bit(CONN_SEND_PBIT, &chan->conn_state);
3440 l2cap_send_srejframe(chan, tx_seq);
3442 __clear_ack_timer(chan);
3447 chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3449 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3450 bt_cb(skb)->tx_seq = tx_seq;
3451 bt_cb(skb)->sar = sar;
3452 __skb_queue_tail(&chan->srej_q, skb);
3456 err = l2cap_reassemble_sdu(chan, skb, rx_control);
3457 chan->buffer_seq = (chan->buffer_seq + 1) % 64;
3459 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3463 if (rx_control & L2CAP_CTRL_FINAL) {
3464 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3465 l2cap_retransmit_frames(chan);
3468 __set_ack_timer(chan);
3470 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
3471 if (chan->num_acked == num_to_ack - 1)
3472 l2cap_send_ack(chan);
3481 static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
3483 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
3486 chan->expected_ack_seq = __get_reqseq(rx_control);
3487 l2cap_drop_acked_frames(chan);
3489 if (rx_control & L2CAP_CTRL_POLL) {
3490 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3491 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3492 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
3493 (chan->unacked_frames > 0))
3494 __set_retrans_timer(chan);
3496 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3497 l2cap_send_srejtail(chan);
3499 l2cap_send_i_or_rr_or_rnr(chan);
3502 } else if (rx_control & L2CAP_CTRL_FINAL) {
3503 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3505 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3506 l2cap_retransmit_frames(chan);
3509 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
3510 (chan->unacked_frames > 0))
3511 __set_retrans_timer(chan);
3513 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3514 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
3515 l2cap_send_ack(chan);
3517 l2cap_ertm_send(chan);
3521 static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
3523 u8 tx_seq = __get_reqseq(rx_control);
3525 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3527 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3529 chan->expected_ack_seq = tx_seq;
3530 l2cap_drop_acked_frames(chan);
3532 if (rx_control & L2CAP_CTRL_FINAL) {
3533 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3534 l2cap_retransmit_frames(chan);
3536 l2cap_retransmit_frames(chan);
3538 if (test_bit(CONN_WAIT_F, &chan->conn_state))
3539 set_bit(CONN_REJ_ACT, &chan->conn_state);
3542 static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
3544 u8 tx_seq = __get_reqseq(rx_control);
3546 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3548 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3550 if (rx_control & L2CAP_CTRL_POLL) {
3551 chan->expected_ack_seq = tx_seq;
3552 l2cap_drop_acked_frames(chan);
3554 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3555 l2cap_retransmit_one_frame(chan, tx_seq);
3557 l2cap_ertm_send(chan);
3559 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
3560 chan->srej_save_reqseq = tx_seq;
3561 set_bit(CONN_SREJ_ACT, &chan->conn_state);
3563 } else if (rx_control & L2CAP_CTRL_FINAL) {
3564 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
3565 chan->srej_save_reqseq == tx_seq)
3566 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
3568 l2cap_retransmit_one_frame(chan, tx_seq);
3570 l2cap_retransmit_one_frame(chan, tx_seq);
3571 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
3572 chan->srej_save_reqseq = tx_seq;
3573 set_bit(CONN_SREJ_ACT, &chan->conn_state);
3578 static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
3580 u8 tx_seq = __get_reqseq(rx_control);
3582 BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3584 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3585 chan->expected_ack_seq = tx_seq;
3586 l2cap_drop_acked_frames(chan);
3588 if (rx_control & L2CAP_CTRL_POLL)
3589 set_bit(CONN_SEND_FBIT, &chan->conn_state);
3591 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3592 __clear_retrans_timer(chan);
3593 if (rx_control & L2CAP_CTRL_POLL)
3594 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
3598 if (rx_control & L2CAP_CTRL_POLL)
3599 l2cap_send_srejtail(chan);
3601 l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
3604 static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
3606 BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
3608 if (L2CAP_CTRL_FINAL & rx_control &&
3609 test_bit(CONN_WAIT_F, &chan->conn_state)) {
3610 __clear_monitor_timer(chan);
3611 if (chan->unacked_frames > 0)
3612 __set_retrans_timer(chan);
3613 clear_bit(CONN_WAIT_F, &chan->conn_state);
3616 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
3617 case L2CAP_SUPER_RCV_READY:
3618 l2cap_data_channel_rrframe(chan, rx_control);
3621 case L2CAP_SUPER_REJECT:
3622 l2cap_data_channel_rejframe(chan, rx_control);
3625 case L2CAP_SUPER_SELECT_REJECT:
3626 l2cap_data_channel_srejframe(chan, rx_control);
3629 case L2CAP_SUPER_RCV_NOT_READY:
3630 l2cap_data_channel_rnrframe(chan, rx_control);
3638 static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
3640 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3643 int len, next_tx_seq_offset, req_seq_offset;
3645 control = get_unaligned_le16(skb->data);
3650 * We can just drop the corrupted I-frame here.
3651 * Receiver will miss it and start proper recovery
3652 * procedures and ask retransmission.
3654 if (l2cap_check_fcs(chan, skb))
3657 if (__is_sar_start(control) && __is_iframe(control))
3660 if (chan->fcs == L2CAP_FCS_CRC16)
3663 if (len > chan->mps) {
3664 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3668 req_seq = __get_reqseq(control);
3669 req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
3670 if (req_seq_offset < 0)
3671 req_seq_offset += 64;
3673 next_tx_seq_offset =
3674 (chan->next_tx_seq - chan->expected_ack_seq) % 64;
3675 if (next_tx_seq_offset < 0)
3676 next_tx_seq_offset += 64;
3678 /* check for invalid req-seq */
3679 if (req_seq_offset > next_tx_seq_offset) {
3680 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3684 if (__is_iframe(control)) {
3686 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3690 l2cap_data_channel_iframe(chan, control, skb);
3694 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3698 l2cap_data_channel_sframe(chan, control, skb);
3708 static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
3710 struct l2cap_chan *chan;
3711 struct sock *sk = NULL;
3716 chan = l2cap_get_chan_by_scid(conn, cid);
3718 BT_DBG("unknown cid 0x%4.4x", cid);
3724 BT_DBG("chan %p, len %d", chan, skb->len);
3726 if (chan->state != BT_CONNECTED)
3729 switch (chan->mode) {
3730 case L2CAP_MODE_BASIC:
3731 /* If socket recv buffers overflows we drop data here
3732 * which is *bad* because L2CAP has to be reliable.
3733 * But we don't have any other choice. L2CAP doesn't
3734 * provide flow control mechanism. */
3736 if (chan->imtu < skb->len)
3739 if (!chan->ops->recv(chan->data, skb))
3743 case L2CAP_MODE_ERTM:
3744 if (!sock_owned_by_user(sk)) {
3745 l2cap_ertm_data_rcv(sk, skb);
3747 if (sk_add_backlog(sk, skb))
3753 case L2CAP_MODE_STREAMING:
3754 control = get_unaligned_le16(skb->data);
3758 if (l2cap_check_fcs(chan, skb))
3761 if (__is_sar_start(control))
3764 if (chan->fcs == L2CAP_FCS_CRC16)
3767 if (len > chan->mps || len < 0 || __is_sframe(control))
3770 tx_seq = __get_txseq(control);
3772 if (chan->expected_tx_seq != tx_seq) {
3773 /* Frame(s) missing - must discard partial SDU */
3774 kfree_skb(chan->sdu);
3776 chan->sdu_last_frag = NULL;
3779 /* TODO: Notify userland of missing data */
3782 chan->expected_tx_seq = (tx_seq + 1) % 64;
3784 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
3785 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3790 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
3804 static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
3806 struct sock *sk = NULL;
3807 struct l2cap_chan *chan;
3809 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
3817 BT_DBG("sk %p, len %d", sk, skb->len);
3819 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
3822 if (chan->imtu < skb->len)
3825 if (!chan->ops->recv(chan->data, skb))
3837 static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
3839 struct sock *sk = NULL;
3840 struct l2cap_chan *chan;
3842 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
3850 BT_DBG("sk %p, len %d", sk, skb->len);
3852 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
3855 if (chan->imtu < skb->len)
3858 if (!chan->ops->recv(chan->data, skb))
3870 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
3872 struct l2cap_hdr *lh = (void *) skb->data;
3876 skb_pull(skb, L2CAP_HDR_SIZE);
3877 cid = __le16_to_cpu(lh->cid);
3878 len = __le16_to_cpu(lh->len);
3880 if (len != skb->len) {
3885 BT_DBG("len %d, cid 0x%4.4x", len, cid);
3888 case L2CAP_CID_LE_SIGNALING:
3889 case L2CAP_CID_SIGNALING:
3890 l2cap_sig_channel(conn, skb);
3893 case L2CAP_CID_CONN_LESS:
3894 psm = get_unaligned_le16(skb->data);
3896 l2cap_conless_channel(conn, psm, skb);
3899 case L2CAP_CID_LE_DATA:
3900 l2cap_att_channel(conn, cid, skb);
3904 if (smp_sig_channel(conn, skb))
3905 l2cap_conn_del(conn->hcon, EACCES);
3909 l2cap_data_channel(conn, cid, skb);
3914 /* ---- L2CAP interface with lower layer (HCI) ---- */
3916 static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3918 int exact = 0, lm1 = 0, lm2 = 0;
3919 struct l2cap_chan *c;
3921 if (type != ACL_LINK)
3924 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
3926 /* Find listening sockets and check their link_mode */
3927 read_lock(&chan_list_lock);
3928 list_for_each_entry(c, &chan_list, global_l) {
3929 struct sock *sk = c->sk;
3931 if (c->state != BT_LISTEN)
3934 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
3935 lm1 |= HCI_LM_ACCEPT;
3937 lm1 |= HCI_LM_MASTER;
3939 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
3940 lm2 |= HCI_LM_ACCEPT;
3942 lm2 |= HCI_LM_MASTER;
3945 read_unlock(&chan_list_lock);
3947 return exact ? lm1 : lm2;
3950 static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
3952 struct l2cap_conn *conn;
3954 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
3956 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
3960 conn = l2cap_conn_add(hcon, status);
3962 l2cap_conn_ready(conn);
3964 l2cap_conn_del(hcon, bt_to_errno(status));
3969 static int l2cap_disconn_ind(struct hci_conn *hcon)
3971 struct l2cap_conn *conn = hcon->l2cap_data;
3973 BT_DBG("hcon %p", hcon);
3975 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
3978 return conn->disc_reason;
3981 static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
3983 BT_DBG("hcon %p reason %d", hcon, reason);
3985 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
3988 l2cap_conn_del(hcon, bt_to_errno(reason));
3993 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
3995 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
3998 if (encrypt == 0x00) {
3999 if (chan->sec_level == BT_SECURITY_MEDIUM) {
4000 __clear_chan_timer(chan);
4001 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4002 } else if (chan->sec_level == BT_SECURITY_HIGH)
4003 l2cap_chan_close(chan, ECONNREFUSED);
4005 if (chan->sec_level == BT_SECURITY_MEDIUM)
4006 __clear_chan_timer(chan);
4010 static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4012 struct l2cap_conn *conn = hcon->l2cap_data;
4013 struct l2cap_chan *chan;
4018 BT_DBG("conn %p", conn);
4020 if (hcon->type == LE_LINK) {
4021 smp_distribute_keys(conn, 0);
4022 del_timer(&conn->security_timer);
4025 read_lock(&conn->chan_lock);
4027 list_for_each_entry(chan, &conn->chan_l, list) {
4028 struct sock *sk = chan->sk;
4032 BT_DBG("chan->scid %d", chan->scid);
4034 if (chan->scid == L2CAP_CID_LE_DATA) {
4035 if (!status && encrypt) {
4036 chan->sec_level = hcon->sec_level;
4037 l2cap_chan_ready(sk);
4044 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
4049 if (!status && (chan->state == BT_CONNECTED ||
4050 chan->state == BT_CONFIG)) {
4051 l2cap_check_encryption(chan, encrypt);
4056 if (chan->state == BT_CONNECT) {
4058 struct l2cap_conn_req req;
4059 req.scid = cpu_to_le16(chan->scid);
4060 req.psm = chan->psm;
4062 chan->ident = l2cap_get_ident(conn);
4063 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4065 l2cap_send_cmd(conn, chan->ident,
4066 L2CAP_CONN_REQ, sizeof(req), &req);
4068 __clear_chan_timer(chan);
4069 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
4071 } else if (chan->state == BT_CONNECT2) {
4072 struct l2cap_conn_rsp rsp;
4076 if (bt_sk(sk)->defer_setup) {
4077 struct sock *parent = bt_sk(sk)->parent;
4078 res = L2CAP_CR_PEND;
4079 stat = L2CAP_CS_AUTHOR_PEND;
4081 parent->sk_data_ready(parent, 0);
4083 l2cap_state_change(chan, BT_CONFIG);
4084 res = L2CAP_CR_SUCCESS;
4085 stat = L2CAP_CS_NO_INFO;
4088 l2cap_state_change(chan, BT_DISCONN);
4089 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
4090 res = L2CAP_CR_SEC_BLOCK;
4091 stat = L2CAP_CS_NO_INFO;
4094 rsp.scid = cpu_to_le16(chan->dcid);
4095 rsp.dcid = cpu_to_le16(chan->scid);
4096 rsp.result = cpu_to_le16(res);
4097 rsp.status = cpu_to_le16(stat);
4098 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4105 read_unlock(&conn->chan_lock);
4110 static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4112 struct l2cap_conn *conn = hcon->l2cap_data;
4115 conn = l2cap_conn_add(hcon, 0);
4120 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4122 if (!(flags & ACL_CONT)) {
4123 struct l2cap_hdr *hdr;
4124 struct l2cap_chan *chan;
4129 BT_ERR("Unexpected start frame (len %d)", skb->len);
4130 kfree_skb(conn->rx_skb);
4131 conn->rx_skb = NULL;
4133 l2cap_conn_unreliable(conn, ECOMM);
4136 /* Start fragment always begin with Basic L2CAP header */
4137 if (skb->len < L2CAP_HDR_SIZE) {
4138 BT_ERR("Frame is too short (len %d)", skb->len);
4139 l2cap_conn_unreliable(conn, ECOMM);
4143 hdr = (struct l2cap_hdr *) skb->data;
4144 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4145 cid = __le16_to_cpu(hdr->cid);
4147 if (len == skb->len) {
4148 /* Complete frame received */
4149 l2cap_recv_frame(conn, skb);
4153 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4155 if (skb->len > len) {
4156 BT_ERR("Frame is too long (len %d, expected len %d)",
4158 l2cap_conn_unreliable(conn, ECOMM);
4162 chan = l2cap_get_chan_by_scid(conn, cid);
4164 if (chan && chan->sk) {
4165 struct sock *sk = chan->sk;
4167 if (chan->imtu < len - L2CAP_HDR_SIZE) {
4168 BT_ERR("Frame exceeding recv MTU (len %d, "
4172 l2cap_conn_unreliable(conn, ECOMM);
4178 /* Allocate skb for the complete frame (with header) */
4179 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4183 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4185 conn->rx_len = len - skb->len;
4187 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4189 if (!conn->rx_len) {
4190 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4191 l2cap_conn_unreliable(conn, ECOMM);
4195 if (skb->len > conn->rx_len) {
4196 BT_ERR("Fragment is too long (len %d, expected %d)",
4197 skb->len, conn->rx_len);
4198 kfree_skb(conn->rx_skb);
4199 conn->rx_skb = NULL;
4201 l2cap_conn_unreliable(conn, ECOMM);
4205 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4207 conn->rx_len -= skb->len;
4209 if (!conn->rx_len) {
4210 /* Complete frame received */
4211 l2cap_recv_frame(conn, conn->rx_skb);
4212 conn->rx_skb = NULL;
4221 static int l2cap_debugfs_show(struct seq_file *f, void *p)
4223 struct l2cap_chan *c;
4225 read_lock_bh(&chan_list_lock);
4227 list_for_each_entry(c, &chan_list, global_l) {
4228 struct sock *sk = c->sk;
4230 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
4231 batostr(&bt_sk(sk)->src),
4232 batostr(&bt_sk(sk)->dst),
4233 c->state, __le16_to_cpu(c->psm),
4234 c->scid, c->dcid, c->imtu, c->omtu,
4235 c->sec_level, c->mode);
4238 read_unlock_bh(&chan_list_lock);
4243 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4245 return single_open(file, l2cap_debugfs_show, inode->i_private);
4248 static const struct file_operations l2cap_debugfs_fops = {
4249 .open = l2cap_debugfs_open,
4251 .llseek = seq_lseek,
4252 .release = single_release,
4255 static struct dentry *l2cap_debugfs;
4257 static struct hci_proto l2cap_hci_proto = {
4259 .id = HCI_PROTO_L2CAP,
4260 .connect_ind = l2cap_connect_ind,
4261 .connect_cfm = l2cap_connect_cfm,
4262 .disconn_ind = l2cap_disconn_ind,
4263 .disconn_cfm = l2cap_disconn_cfm,
4264 .security_cfm = l2cap_security_cfm,
4265 .recv_acldata = l2cap_recv_acldata
4268 int __init l2cap_init(void)
4272 err = l2cap_init_sockets();
4276 err = hci_register_proto(&l2cap_hci_proto);
4278 BT_ERR("L2CAP protocol registration failed");
4279 bt_sock_unregister(BTPROTO_L2CAP);
4284 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4285 bt_debugfs, NULL, &l2cap_debugfs_fops);
4287 BT_ERR("Failed to create L2CAP debug file");
4293 l2cap_cleanup_sockets();
4297 void l2cap_exit(void)
4299 debugfs_remove(l2cap_debugfs);
4301 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4302 BT_ERR("L2CAP protocol unregistration failed");
4304 l2cap_cleanup_sockets();
4307 module_param(disable_ertm, bool, 0644);
4308 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
git.openpandora.org / pandora-kernel.git / blob