Home | History | Annotate | Download | only in l2cap
      1 /******************************************************************************
      2  *
      3  *  Copyright (C) 1999-2012 Broadcom Corporation
      4  *
      5  *  Licensed under the Apache License, Version 2.0 (the "License");
      6  *  you may not use this file except in compliance with the License.
      7  *  You may obtain a copy of the License at:
      8  *
      9  *  http://www.apache.org/licenses/LICENSE-2.0
     10  *
     11  *  Unless required by applicable law or agreed to in writing, software
     12  *  distributed under the License is distributed on an "AS IS" BASIS,
     13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     14  *  See the License for the specific language governing permissions and
     15  *  limitations under the License.
     16  *
     17  ******************************************************************************/
     18 
     19 /******************************************************************************
     20  *
     21  *  This file contains L2CAP utility functions
     22  *
     23  ******************************************************************************/
     24 
     25 #include <stdio.h>
     26 #include <stdlib.h>
     27 #include <string.h>
     28 
     29 #include "bt_common.h"
     30 #include "bt_types.h"
     31 #include "bt_utils.h"
     32 #include "btm_api.h"
     33 #include "btm_int.h"
     34 #include "btu.h"
     35 #include "device/include/controller.h"
     36 #include "hcidefs.h"
     37 #include "hcimsgs.h"
     38 #include "l2c_int.h"
     39 #include "l2cdefs.h"
     40 #include "osi/include/allocator.h"
     41 
     42 /*******************************************************************************
     43  *
     44  * Function         l2cu_can_allocate_lcb
     45  *
     46  * Description      Look for an unused LCB
     47  *
     48  * Returns          true if there is space for one more lcb
     49  *
     50  ******************************************************************************/
     51 bool l2cu_can_allocate_lcb(void) {
     52   for (int i = 0; i < MAX_L2CAP_LINKS; i++) {
     53     if (!l2cb.lcb_pool[i].in_use) return true;
     54   }
     55   return false;
     56 }
     57 
     58 /*******************************************************************************
     59  *
     60  * Function         l2cu_allocate_lcb
     61  *
     62  * Description      Look for an unused LCB
     63  *
     64  * Returns          LCB address or NULL if none found
     65  *
     66  ******************************************************************************/
     67 tL2C_LCB* l2cu_allocate_lcb(const RawAddress& p_bd_addr, bool is_bonding,
     68                             tBT_TRANSPORT transport) {
     69   int xx;
     70   tL2C_LCB* p_lcb = &l2cb.lcb_pool[0];
     71 
     72   for (xx = 0; xx < MAX_L2CAP_LINKS; xx++, p_lcb++) {
     73     if (!p_lcb->in_use) {
     74       alarm_free(p_lcb->l2c_lcb_timer);
     75       alarm_free(p_lcb->info_resp_timer);
     76       memset(p_lcb, 0, sizeof(tL2C_LCB));
     77 
     78       p_lcb->remote_bd_addr = p_bd_addr;
     79 
     80       p_lcb->in_use = true;
     81       p_lcb->link_state = LST_DISCONNECTED;
     82       p_lcb->handle = HCI_INVALID_HANDLE;
     83       p_lcb->link_flush_tout = 0xFFFF;
     84       p_lcb->l2c_lcb_timer = alarm_new("l2c_lcb.l2c_lcb_timer");
     85       p_lcb->info_resp_timer = alarm_new("l2c_lcb.info_resp_timer");
     86       p_lcb->idle_timeout = l2cb.idle_timeout;
     87       p_lcb->id = 1; /* spec does not allow '0' */
     88       p_lcb->is_bonding = is_bonding;
     89       p_lcb->transport = transport;
     90       p_lcb->tx_data_len =
     91           controller_get_interface()->get_ble_default_data_packet_length();
     92       p_lcb->le_sec_pending_q = fixed_queue_new(SIZE_MAX);
     93 
     94       if (transport == BT_TRANSPORT_LE) {
     95         l2cb.num_ble_links_active++;
     96         l2c_ble_link_adjust_allocation();
     97       } else {
     98         l2cb.num_links_active++;
     99         l2c_link_adjust_allocation();
    100       }
    101 #if (L2CAP_UCD_INCLUDED == TRUE)
    102       p_lcb->ucd_out_sec_pending_q = fixed_queue_new(SIZE_MAX);
    103       p_lcb->ucd_in_sec_pending_q = fixed_queue_new(SIZE_MAX);
    104 #endif
    105       p_lcb->link_xmit_data_q = list_new(NULL);
    106       return (p_lcb);
    107     }
    108   }
    109 
    110   /* If here, no free LCB found */
    111   return (NULL);
    112 }
    113 
    114 /*******************************************************************************
    115  *
    116  * Function         l2cu_update_lcb_4_bonding
    117  *
    118  * Description      Mark the lcb for bonding. Used when bonding takes place on
    119  *                  an existing ACL connection.  (Pre-Lisbon devices)
    120  *
    121  * Returns          Nothing
    122  *
    123  ******************************************************************************/
    124 void l2cu_update_lcb_4_bonding(const RawAddress& p_bd_addr, bool is_bonding) {
    125   tL2C_LCB* p_lcb = l2cu_find_lcb_by_bd_addr(p_bd_addr, BT_TRANSPORT_BR_EDR);
    126 
    127   if (p_lcb) {
    128     VLOG(1) << __func__ << " BDA: " << p_bd_addr
    129             << " is_bonding: " << is_bonding;
    130     p_lcb->is_bonding = is_bonding;
    131   }
    132 }
    133 
    134 /*******************************************************************************
    135  *
    136  * Function         l2cu_release_lcb
    137  *
    138  * Description      Release an LCB. All timers will be stopped and freed,
    139  *                  channels dropped, buffers returned etc.
    140  *
    141  * Returns          void
    142  *
    143  ******************************************************************************/
    144 void l2cu_release_lcb(tL2C_LCB* p_lcb) {
    145   tL2C_CCB* p_ccb;
    146 
    147   p_lcb->in_use = false;
    148   p_lcb->is_bonding = false;
    149 
    150   /* Stop and free timers */
    151   alarm_free(p_lcb->l2c_lcb_timer);
    152   p_lcb->l2c_lcb_timer = NULL;
    153   alarm_free(p_lcb->info_resp_timer);
    154   p_lcb->info_resp_timer = NULL;
    155 
    156   /* Release any unfinished L2CAP packet on this link */
    157   osi_free_and_reset((void**)&p_lcb->p_hcit_rcv_acl);
    158 
    159 #if (BTM_SCO_INCLUDED == TRUE)
    160   if (p_lcb->transport == BT_TRANSPORT_BR_EDR) /* Release all SCO links */
    161     btm_remove_sco_links(p_lcb->remote_bd_addr);
    162 #endif
    163 
    164   if (p_lcb->sent_not_acked > 0) {
    165     if (p_lcb->transport == BT_TRANSPORT_LE) {
    166       l2cb.controller_le_xmit_window += p_lcb->sent_not_acked;
    167       if (l2cb.controller_le_xmit_window > l2cb.num_lm_ble_bufs) {
    168         l2cb.controller_le_xmit_window = l2cb.num_lm_ble_bufs;
    169       }
    170     } else {
    171       l2cb.controller_xmit_window += p_lcb->sent_not_acked;
    172       if (l2cb.controller_xmit_window > l2cb.num_lm_acl_bufs) {
    173         l2cb.controller_xmit_window = l2cb.num_lm_acl_bufs;
    174       }
    175     }
    176   }
    177 
    178   // Reset BLE connecting flag only if the address matches
    179   if (l2cb.ble_connecting_bda == p_lcb->remote_bd_addr)
    180     l2cb.is_ble_connecting = false;
    181 
    182 #if (L2CAP_NUM_FIXED_CHNLS > 0)
    183   l2cu_process_fixed_disc_cback(p_lcb);
    184 #endif
    185 
    186   /* Ensure no CCBs left on this LCB */
    187   for (p_ccb = p_lcb->ccb_queue.p_first_ccb; p_ccb;
    188        p_ccb = p_lcb->ccb_queue.p_first_ccb) {
    189     l2cu_release_ccb(p_ccb);
    190   }
    191 
    192   /* Tell BTM Acl management the link was removed */
    193   if ((p_lcb->link_state == LST_CONNECTED) ||
    194       (p_lcb->link_state == LST_DISCONNECTING))
    195     btm_acl_removed(p_lcb->remote_bd_addr, p_lcb->transport);
    196 
    197   /* Release any held buffers */
    198   if (p_lcb->link_xmit_data_q) {
    199     while (!list_is_empty(p_lcb->link_xmit_data_q)) {
    200       BT_HDR* p_buf = static_cast<BT_HDR*>(list_front(p_lcb->link_xmit_data_q));
    201       list_remove(p_lcb->link_xmit_data_q, p_buf);
    202       osi_free(p_buf);
    203     }
    204     list_free(p_lcb->link_xmit_data_q);
    205     p_lcb->link_xmit_data_q = NULL;
    206   }
    207 
    208 #if (L2CAP_UCD_INCLUDED == TRUE)
    209   /* clean up any security pending UCD */
    210   l2c_ucd_delete_sec_pending_q(p_lcb);
    211 #endif
    212 
    213   /* Re-adjust flow control windows make sure it does not go negative */
    214   if (p_lcb->transport == BT_TRANSPORT_LE) {
    215     if (l2cb.num_ble_links_active >= 1) l2cb.num_ble_links_active--;
    216 
    217     l2c_ble_link_adjust_allocation();
    218   } else {
    219     if (l2cb.num_links_active >= 1) l2cb.num_links_active--;
    220 
    221     l2c_link_adjust_allocation();
    222   }
    223 
    224   /* Check for ping outstanding */
    225   if (p_lcb->p_echo_rsp_cb) {
    226     tL2CA_ECHO_RSP_CB* p_cb = p_lcb->p_echo_rsp_cb;
    227 
    228     /* Zero out the callback in case app immediately calls us again */
    229     p_lcb->p_echo_rsp_cb = NULL;
    230 
    231     (*p_cb)(L2CAP_PING_RESULT_NO_LINK);
    232   }
    233 
    234   /* Check and release all the LE COC connections waiting for security */
    235   if (p_lcb->le_sec_pending_q) {
    236     while (!fixed_queue_is_empty(p_lcb->le_sec_pending_q)) {
    237       tL2CAP_SEC_DATA* p_buf =
    238           (tL2CAP_SEC_DATA*)fixed_queue_try_dequeue(p_lcb->le_sec_pending_q);
    239       if (p_buf->p_callback)
    240         p_buf->p_callback(p_lcb->remote_bd_addr, p_lcb->transport,
    241                           p_buf->p_ref_data, BTM_DEV_RESET);
    242       osi_free(p_buf);
    243     }
    244     fixed_queue_free(p_lcb->le_sec_pending_q, NULL);
    245     p_lcb->le_sec_pending_q = NULL;
    246   }
    247 }
    248 
    249 /*******************************************************************************
    250  *
    251  * Function         l2cu_find_lcb_by_bd_addr
    252  *
    253  * Description      Look through all active LCBs for a match based on the
    254  *                  remote BD address.
    255  *
    256  * Returns          pointer to matched LCB, or NULL if no match
    257  *
    258  ******************************************************************************/
    259 tL2C_LCB* l2cu_find_lcb_by_bd_addr(const RawAddress& p_bd_addr,
    260                                    tBT_TRANSPORT transport) {
    261   int xx;
    262   tL2C_LCB* p_lcb = &l2cb.lcb_pool[0];
    263 
    264   for (xx = 0; xx < MAX_L2CAP_LINKS; xx++, p_lcb++) {
    265     if ((p_lcb->in_use) && p_lcb->transport == transport &&
    266         (p_lcb->remote_bd_addr == p_bd_addr)) {
    267       return (p_lcb);
    268     }
    269   }
    270 
    271   /* If here, no match found */
    272   return (NULL);
    273 }
    274 
    275 /*******************************************************************************
    276  *
    277  * Function         l2cu_get_conn_role
    278  *
    279  * Description      Determine the desired role (master or slave) of a link.
    280  *                  If already got a slave link, this one must be a master. If
    281  *                  already got at least 1 link where we are the master, make
    282  *                  this also a master.
    283  *
    284  * Returns          HCI_ROLE_MASTER or HCI_ROLE_SLAVE
    285  *
    286  ******************************************************************************/
    287 uint8_t l2cu_get_conn_role(tL2C_LCB* p_this_lcb) { return l2cb.desire_role; }
    288 
    289 /*******************************************************************************
    290  *
    291  * Function         l2c_is_cmd_rejected
    292  *
    293  * Description      Checks if cmd_code is command or response
    294  *                  If a command it will be rejected per spec.
    295  *                  This function is used when a illegal packet length is
    296  *                  detected.
    297  *
    298  * Returns          bool    - true if cmd_code is a command and it is rejected,
    299  *                            false if response code. (command not rejected)
    300  *
    301  ******************************************************************************/
    302 bool l2c_is_cmd_rejected(uint8_t cmd_code, uint8_t id, tL2C_LCB* p_lcb) {
    303   switch (cmd_code) {
    304     case L2CAP_CMD_CONN_REQ:
    305     case L2CAP_CMD_CONFIG_REQ:
    306     case L2CAP_CMD_DISC_REQ:
    307     case L2CAP_CMD_ECHO_REQ:
    308     case L2CAP_CMD_INFO_REQ:
    309     case L2CAP_CMD_AMP_CONN_REQ:
    310     case L2CAP_CMD_AMP_MOVE_REQ:
    311     case L2CAP_CMD_BLE_UPDATE_REQ:
    312       l2cu_send_peer_cmd_reject(p_lcb, L2CAP_CMD_REJ_MTU_EXCEEDED, id,
    313                                 L2CAP_DEFAULT_MTU, 0);
    314       L2CAP_TRACE_WARNING("Dumping first Command (%d)", cmd_code);
    315       return true;
    316 
    317     default: /* Otherwise a response */
    318       return false;
    319   }
    320 }
    321 
    322 /*******************************************************************************
    323  *
    324  * Function         l2cu_build_header
    325  *
    326  * Description      Builds the L2CAP command packet header
    327  *
    328  * Returns          Pointer to allocated packet or NULL if no resources
    329  *
    330  ******************************************************************************/
    331 BT_HDR* l2cu_build_header(tL2C_LCB* p_lcb, uint16_t len, uint8_t cmd,
    332                           uint8_t id) {
    333   BT_HDR* p_buf = (BT_HDR*)osi_malloc(L2CAP_CMD_BUF_SIZE);
    334   uint8_t* p;
    335 
    336   p_buf->offset = L2CAP_SEND_CMD_OFFSET;
    337   p_buf->len =
    338       len + HCI_DATA_PREAMBLE_SIZE + L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
    339   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET;
    340 
    341   /* Put in HCI header - handle + pkt boundary */
    342   if (p_lcb->transport == BT_TRANSPORT_LE) {
    343     UINT16_TO_STREAM(p, (p_lcb->handle | (L2CAP_PKT_START_NON_FLUSHABLE
    344                                           << L2CAP_PKT_TYPE_SHIFT)));
    345   } else {
    346 #if (L2CAP_NON_FLUSHABLE_PB_INCLUDED == TRUE)
    347     UINT16_TO_STREAM(p, p_lcb->handle | l2cb.non_flushable_pbf);
    348 #else
    349     UINT16_TO_STREAM(
    350         p, (p_lcb->handle | (L2CAP_PKT_START << L2CAP_PKT_TYPE_SHIFT)));
    351 #endif
    352   }
    353 
    354   UINT16_TO_STREAM(p, len + L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD);
    355   UINT16_TO_STREAM(p, len + L2CAP_CMD_OVERHEAD);
    356 
    357   if (p_lcb->transport == BT_TRANSPORT_LE) {
    358     UINT16_TO_STREAM(p, L2CAP_BLE_SIGNALLING_CID);
    359   } else {
    360     UINT16_TO_STREAM(p, L2CAP_SIGNALLING_CID);
    361   }
    362 
    363   /* Put in L2CAP command header */
    364   UINT8_TO_STREAM(p, cmd);
    365   UINT8_TO_STREAM(p, id);
    366   UINT16_TO_STREAM(p, len);
    367 
    368   return (p_buf);
    369 }
    370 
    371 /*******************************************************************************
    372  *
    373  * Function         l2cu_adj_id
    374  *
    375  * Description      Checks for valid ID based on specified mask
    376  *                  and adjusts the id if invalid.
    377  *
    378  * Returns          void
    379  *
    380  ******************************************************************************/
    381 void l2cu_adj_id(tL2C_LCB* p_lcb, uint8_t adj_mask) {
    382   if ((adj_mask & L2CAP_ADJ_ZERO_ID) && !p_lcb->id) {
    383     p_lcb->id++;
    384   }
    385 }
    386 
    387 /*******************************************************************************
    388  *
    389  * Function         l2cu_send_peer_cmd_reject
    390  *
    391  * Description      Build and send an L2CAP "command reject" message
    392  *                  to the peer.
    393  *
    394  * Returns          void
    395  *
    396  ******************************************************************************/
    397 void l2cu_send_peer_cmd_reject(tL2C_LCB* p_lcb, uint16_t reason, uint8_t rem_id,
    398                                uint16_t p1, uint16_t p2) {
    399   uint16_t param_len;
    400   BT_HDR* p_buf;
    401   uint8_t* p;
    402 
    403   /* Put in L2CAP packet header */
    404   if (reason == L2CAP_CMD_REJ_MTU_EXCEEDED)
    405     param_len = 2;
    406   else if (reason == L2CAP_CMD_REJ_INVALID_CID)
    407     param_len = 4;
    408   else
    409     param_len = 0;
    410 
    411   p_buf = l2cu_build_header(p_lcb, (uint16_t)(L2CAP_CMD_REJECT_LEN + param_len),
    412                             L2CAP_CMD_REJECT, rem_id);
    413   if (p_buf == NULL) {
    414     L2CAP_TRACE_WARNING("L2CAP - no buffer cmd_rej");
    415     return;
    416   }
    417 
    418   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
    419       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
    420 
    421   UINT16_TO_STREAM(p, reason);
    422 
    423   if (param_len >= 2) UINT16_TO_STREAM(p, p1);
    424 
    425   if (param_len >= 4) UINT16_TO_STREAM(p, p2);
    426 
    427   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
    428 }
    429 
    430 /*******************************************************************************
    431  *
    432  * Function         l2cu_send_peer_connect_req
    433  *
    434  * Description      Build and send an L2CAP "connection request" message
    435  *                  to the peer.
    436  *
    437  * Returns          void
    438  *
    439  ******************************************************************************/
    440 void l2cu_send_peer_connect_req(tL2C_CCB* p_ccb) {
    441   BT_HDR* p_buf;
    442   uint8_t* p;
    443 
    444   /* Create an identifier for this packet */
    445   p_ccb->p_lcb->id++;
    446   l2cu_adj_id(p_ccb->p_lcb, L2CAP_ADJ_ID);
    447 
    448   p_ccb->local_id = p_ccb->p_lcb->id;
    449 
    450   p_buf = l2cu_build_header(p_ccb->p_lcb, L2CAP_CONN_REQ_LEN,
    451                             L2CAP_CMD_CONN_REQ, p_ccb->local_id);
    452   if (p_buf == NULL) {
    453     L2CAP_TRACE_WARNING("L2CAP - no buffer for conn_req");
    454     return;
    455   }
    456 
    457   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
    458       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
    459 
    460   UINT16_TO_STREAM(p, p_ccb->p_rcb->real_psm);
    461   UINT16_TO_STREAM(p, p_ccb->local_cid);
    462 
    463   l2c_link_check_send_pkts(p_ccb->p_lcb, NULL, p_buf);
    464 }
    465 
    466 /*******************************************************************************
    467  *
    468  * Function         l2cu_send_peer_connect_rsp
    469  *
    470  * Description      Build and send an L2CAP "connection response" message
    471  *                  to the peer.
    472  *
    473  * Returns          void
    474  *
    475  ******************************************************************************/
    476 void l2cu_send_peer_connect_rsp(tL2C_CCB* p_ccb, uint16_t result,
    477                                 uint16_t status) {
    478   BT_HDR* p_buf;
    479   uint8_t* p;
    480 
    481   if (result == L2CAP_CONN_PENDING) {
    482     /* if we already sent pending response */
    483     if (p_ccb->flags & CCB_FLAG_SENT_PENDING)
    484       return;
    485     else
    486       p_ccb->flags |= CCB_FLAG_SENT_PENDING;
    487   }
    488 
    489   p_buf = l2cu_build_header(p_ccb->p_lcb, L2CAP_CONN_RSP_LEN,
    490                             L2CAP_CMD_CONN_RSP, p_ccb->remote_id);
    491   if (p_buf == NULL) {
    492     L2CAP_TRACE_WARNING("L2CAP - no buffer for conn_rsp");
    493     return;
    494   }
    495 
    496   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
    497       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
    498 
    499   UINT16_TO_STREAM(p, p_ccb->local_cid);
    500   UINT16_TO_STREAM(p, p_ccb->remote_cid);
    501   UINT16_TO_STREAM(p, result);
    502   UINT16_TO_STREAM(p, status);
    503 
    504   l2c_link_check_send_pkts(p_ccb->p_lcb, NULL, p_buf);
    505 }
    506 
    507 /*******************************************************************************
    508  *
    509  * Function         l2cu_reject_connection
    510  *
    511  * Description      Build and send an L2CAP "connection response neg" message
    512  *                  to the peer. This function is called when there is no peer
    513  *                  CCB (non-existant PSM or no resources).
    514  *
    515  * Returns          void
    516  *
    517  ******************************************************************************/
    518 void l2cu_reject_connection(tL2C_LCB* p_lcb, uint16_t remote_cid,
    519                             uint8_t rem_id, uint16_t result) {
    520   BT_HDR* p_buf;
    521   uint8_t* p;
    522 
    523   p_buf =
    524       l2cu_build_header(p_lcb, L2CAP_CONN_RSP_LEN, L2CAP_CMD_CONN_RSP, rem_id);
    525   if (p_buf == NULL) {
    526     L2CAP_TRACE_WARNING("L2CAP - no buffer for conn_req");
    527     return;
    528   }
    529 
    530   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
    531       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
    532 
    533   UINT16_TO_STREAM(p, 0); /* Local CID of 0   */
    534   UINT16_TO_STREAM(p, remote_cid);
    535   UINT16_TO_STREAM(p, result);
    536   UINT16_TO_STREAM(p, 0); /* Status of 0      */
    537 
    538   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
    539 }
    540 
    541 /*******************************************************************************
    542  *
    543  * Function         l2cu_send_peer_config_req
    544  *
    545  * Description      Build and send an L2CAP "configuration request" message
    546  *                  to the peer.
    547  *
    548  * Returns          void
    549  *
    550  ******************************************************************************/
    551 void l2cu_send_peer_config_req(tL2C_CCB* p_ccb, tL2CAP_CFG_INFO* p_cfg) {
    552   BT_HDR* p_buf;
    553   uint16_t cfg_len = 0;
    554   uint8_t* p;
    555 
    556   /* Create an identifier for this packet */
    557   p_ccb->p_lcb->id++;
    558   l2cu_adj_id(p_ccb->p_lcb, L2CAP_ADJ_ID);
    559 
    560   p_ccb->local_id = p_ccb->p_lcb->id;
    561 
    562   if (p_cfg->mtu_present)
    563     cfg_len += L2CAP_CFG_MTU_OPTION_LEN + L2CAP_CFG_OPTION_OVERHEAD;
    564   if (p_cfg->flush_to_present)
    565     cfg_len += L2CAP_CFG_FLUSH_OPTION_LEN + L2CAP_CFG_OPTION_OVERHEAD;
    566   if (p_cfg->qos_present)
    567     cfg_len += L2CAP_CFG_QOS_OPTION_LEN + L2CAP_CFG_OPTION_OVERHEAD;
    568   if (p_cfg->fcr_present)
    569     cfg_len += L2CAP_CFG_FCR_OPTION_LEN + L2CAP_CFG_OPTION_OVERHEAD;
    570   if (p_cfg->fcs_present)
    571     cfg_len += L2CAP_CFG_FCS_OPTION_LEN + L2CAP_CFG_OPTION_OVERHEAD;
    572   if (p_cfg->ext_flow_spec_present)
    573     cfg_len += L2CAP_CFG_EXT_FLOW_OPTION_LEN + L2CAP_CFG_OPTION_OVERHEAD;
    574 
    575   p_buf = l2cu_build_header(p_ccb->p_lcb,
    576                             (uint16_t)(L2CAP_CONFIG_REQ_LEN + cfg_len),
    577                             L2CAP_CMD_CONFIG_REQ, p_ccb->local_id);
    578   if (p_buf == NULL) {
    579     L2CAP_TRACE_WARNING("L2CAP - no buffer for conn_req");
    580     return;
    581   }
    582 
    583   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
    584       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
    585 
    586   UINT16_TO_STREAM(p, p_ccb->remote_cid);
    587   UINT16_TO_STREAM(p, p_cfg->flags); /* Flags (continuation) */
    588 
    589   /* Now, put the options */
    590   if (p_cfg->mtu_present) {
    591     UINT8_TO_STREAM(p, L2CAP_CFG_TYPE_MTU);
    592     UINT8_TO_STREAM(p, L2CAP_CFG_MTU_OPTION_LEN);
    593     UINT16_TO_STREAM(p, p_cfg->mtu);
    594   }
    595   if (p_cfg->flush_to_present) {
    596     UINT8_TO_STREAM(p, L2CAP_CFG_TYPE_FLUSH_TOUT);
    597     UINT8_TO_STREAM(p, L2CAP_CFG_FLUSH_OPTION_LEN);
    598     UINT16_TO_STREAM(p, p_cfg->flush_to);
    599   }
    600   if (p_cfg->qos_present) {
    601     UINT8_TO_STREAM(p, L2CAP_CFG_TYPE_QOS);
    602     UINT8_TO_STREAM(p, L2CAP_CFG_QOS_OPTION_LEN);
    603     UINT8_TO_STREAM(p, p_cfg->qos.qos_flags);
    604     UINT8_TO_STREAM(p, p_cfg->qos.service_type);
    605     UINT32_TO_STREAM(p, p_cfg->qos.token_rate);
    606     UINT32_TO_STREAM(p, p_cfg->qos.token_bucket_size);
    607     UINT32_TO_STREAM(p, p_cfg->qos.peak_bandwidth);
    608     UINT32_TO_STREAM(p, p_cfg->qos.latency);
    609     UINT32_TO_STREAM(p, p_cfg->qos.delay_variation);
    610   }
    611   if (p_cfg->fcr_present) {
    612     UINT8_TO_STREAM(p, L2CAP_CFG_TYPE_FCR);
    613     UINT8_TO_STREAM(p, L2CAP_CFG_FCR_OPTION_LEN);
    614     UINT8_TO_STREAM(p, p_cfg->fcr.mode);
    615     UINT8_TO_STREAM(p, p_cfg->fcr.tx_win_sz);
    616     UINT8_TO_STREAM(p, p_cfg->fcr.max_transmit);
    617     UINT16_TO_STREAM(p, p_cfg->fcr.rtrans_tout);
    618     UINT16_TO_STREAM(p, p_cfg->fcr.mon_tout);
    619     UINT16_TO_STREAM(p, p_cfg->fcr.mps);
    620   }
    621 
    622   if (p_cfg->fcs_present) {
    623     UINT8_TO_STREAM(p, L2CAP_CFG_TYPE_FCS);
    624     UINT8_TO_STREAM(p, L2CAP_CFG_FCS_OPTION_LEN);
    625     UINT8_TO_STREAM(p, p_cfg->fcs);
    626   }
    627 
    628   if (p_cfg->ext_flow_spec_present) {
    629     UINT8_TO_STREAM(p, L2CAP_CFG_TYPE_EXT_FLOW);
    630     UINT8_TO_STREAM(p, L2CAP_CFG_EXT_FLOW_OPTION_LEN);
    631     UINT8_TO_STREAM(p, p_cfg->ext_flow_spec.id);
    632     UINT8_TO_STREAM(p, p_cfg->ext_flow_spec.stype);
    633     UINT16_TO_STREAM(p, p_cfg->ext_flow_spec.max_sdu_size);
    634     UINT32_TO_STREAM(p, p_cfg->ext_flow_spec.sdu_inter_time);
    635     UINT32_TO_STREAM(p, p_cfg->ext_flow_spec.access_latency);
    636     UINT32_TO_STREAM(p, p_cfg->ext_flow_spec.flush_timeout);
    637   }
    638 
    639   l2c_link_check_send_pkts(p_ccb->p_lcb, NULL, p_buf);
    640 }
    641 
    642 /*******************************************************************************
    643  *
    644  * Function         l2cu_send_peer_config_rsp
    645  *
    646  * Description      Build and send an L2CAP "configuration response" message
    647  *                  to the peer.
    648  *
    649  * Returns          void
    650  *
    651  ******************************************************************************/
    652 void l2cu_send_peer_config_rsp(tL2C_CCB* p_ccb, tL2CAP_CFG_INFO* p_cfg) {
    653   BT_HDR* p_buf;
    654   uint16_t cfg_len = 0;
    655   uint8_t* p;
    656 
    657   /* Create an identifier for this packet */
    658   if (p_cfg->mtu_present)
    659     cfg_len += L2CAP_CFG_MTU_OPTION_LEN + L2CAP_CFG_OPTION_OVERHEAD;
    660   if (p_cfg->flush_to_present)
    661     cfg_len += L2CAP_CFG_FLUSH_OPTION_LEN + L2CAP_CFG_OPTION_OVERHEAD;
    662   if (p_cfg->qos_present)
    663     cfg_len += L2CAP_CFG_QOS_OPTION_LEN + L2CAP_CFG_OPTION_OVERHEAD;
    664   if (p_cfg->fcr_present)
    665     cfg_len += L2CAP_CFG_FCR_OPTION_LEN + L2CAP_CFG_OPTION_OVERHEAD;
    666   if (p_cfg->ext_flow_spec_present)
    667     cfg_len += L2CAP_CFG_EXT_FLOW_OPTION_LEN + L2CAP_CFG_OPTION_OVERHEAD;
    668 
    669   p_buf = l2cu_build_header(p_ccb->p_lcb,
    670                             (uint16_t)(L2CAP_CONFIG_RSP_LEN + cfg_len),
    671                             L2CAP_CMD_CONFIG_RSP, p_ccb->remote_id);
    672   if (p_buf == NULL) {
    673     L2CAP_TRACE_WARNING("L2CAP - no buffer for conn_req");
    674     return;
    675   }
    676 
    677   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
    678       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
    679 
    680   UINT16_TO_STREAM(p, p_ccb->remote_cid);
    681   UINT16_TO_STREAM(p,
    682                    p_cfg->flags); /* Flags (continuation) Must match request */
    683   UINT16_TO_STREAM(p, p_cfg->result);
    684 
    685   /* Now, put the options */
    686   if (p_cfg->mtu_present) {
    687     UINT8_TO_STREAM(p, L2CAP_CFG_TYPE_MTU);
    688     UINT8_TO_STREAM(p, L2CAP_CFG_MTU_OPTION_LEN);
    689     UINT16_TO_STREAM(p, p_cfg->mtu);
    690   }
    691   if (p_cfg->flush_to_present) {
    692     UINT8_TO_STREAM(p, L2CAP_CFG_TYPE_FLUSH_TOUT);
    693     UINT8_TO_STREAM(p, L2CAP_CFG_FLUSH_OPTION_LEN);
    694     UINT16_TO_STREAM(p, p_cfg->flush_to);
    695   }
    696   if (p_cfg->qos_present) {
    697     UINT8_TO_STREAM(p, L2CAP_CFG_TYPE_QOS);
    698     UINT8_TO_STREAM(p, L2CAP_CFG_QOS_OPTION_LEN);
    699     UINT8_TO_STREAM(p, p_cfg->qos.qos_flags);
    700     UINT8_TO_STREAM(p, p_cfg->qos.service_type);
    701     UINT32_TO_STREAM(p, p_cfg->qos.token_rate);
    702     UINT32_TO_STREAM(p, p_cfg->qos.token_bucket_size);
    703     UINT32_TO_STREAM(p, p_cfg->qos.peak_bandwidth);
    704     UINT32_TO_STREAM(p, p_cfg->qos.latency);
    705     UINT32_TO_STREAM(p, p_cfg->qos.delay_variation);
    706   }
    707   if (p_cfg->fcr_present) {
    708     UINT8_TO_STREAM(p, L2CAP_CFG_TYPE_FCR);
    709     UINT8_TO_STREAM(p, L2CAP_CFG_FCR_OPTION_LEN);
    710     UINT8_TO_STREAM(p, p_cfg->fcr.mode);
    711     UINT8_TO_STREAM(p, p_cfg->fcr.tx_win_sz);
    712     UINT8_TO_STREAM(p, p_cfg->fcr.max_transmit);
    713     UINT16_TO_STREAM(p, p_ccb->our_cfg.fcr.rtrans_tout);
    714     UINT16_TO_STREAM(p, p_ccb->our_cfg.fcr.mon_tout);
    715     UINT16_TO_STREAM(p, p_cfg->fcr.mps);
    716   }
    717 
    718   if (p_cfg->ext_flow_spec_present) {
    719     UINT8_TO_STREAM(p, L2CAP_CFG_TYPE_EXT_FLOW);
    720     UINT8_TO_STREAM(p, L2CAP_CFG_EXT_FLOW_OPTION_LEN);
    721     UINT8_TO_STREAM(p, p_cfg->ext_flow_spec.id);
    722     UINT8_TO_STREAM(p, p_cfg->ext_flow_spec.stype);
    723     UINT16_TO_STREAM(p, p_cfg->ext_flow_spec.max_sdu_size);
    724     UINT32_TO_STREAM(p, p_cfg->ext_flow_spec.sdu_inter_time);
    725     UINT32_TO_STREAM(p, p_cfg->ext_flow_spec.access_latency);
    726     UINT32_TO_STREAM(p, p_cfg->ext_flow_spec.flush_timeout);
    727   }
    728 
    729   l2c_link_check_send_pkts(p_ccb->p_lcb, NULL, p_buf);
    730 }
    731 
    732 /*******************************************************************************
    733  *
    734  * Function         l2cu_send_peer_config_rej
    735  *
    736  * Description      Build and send an L2CAP "configuration reject" message
    737  *                  to the peer.
    738  *
    739  * Returns          void
    740  *
    741  ******************************************************************************/
    742 void l2cu_send_peer_config_rej(tL2C_CCB* p_ccb, uint8_t* p_data,
    743                                uint16_t data_len, uint16_t rej_len) {
    744   uint16_t len, cfg_len, buf_space, len1;
    745   uint8_t *p, *p_hci_len, *p_data_end;
    746   uint8_t cfg_code;
    747 
    748   L2CAP_TRACE_DEBUG("l2cu_send_peer_config_rej: data_len=%d, rej_len=%d",
    749                     data_len, rej_len);
    750 
    751   len = BT_HDR_SIZE + HCI_DATA_PREAMBLE_SIZE + L2CAP_PKT_OVERHEAD +
    752         L2CAP_CMD_OVERHEAD + L2CAP_CONFIG_RSP_LEN;
    753   len1 = 0xFFFF - len;
    754   if (rej_len > len1) {
    755     L2CAP_TRACE_ERROR(
    756         "L2CAP - cfg_rej pkt size exceeds buffer design max limit.");
    757     return;
    758   }
    759 
    760   BT_HDR* p_buf = (BT_HDR*)osi_malloc(len + rej_len);
    761   p_buf->offset = L2CAP_SEND_CMD_OFFSET;
    762   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET;
    763 
    764 /* Put in HCI header - handle + pkt boundary */
    765 #if (L2CAP_NON_FLUSHABLE_PB_INCLUDED == TRUE)
    766   if (HCI_NON_FLUSHABLE_PB_SUPPORTED(BTM_ReadLocalFeatures())) {
    767     UINT16_TO_STREAM(p, (p_ccb->p_lcb->handle | (L2CAP_PKT_START_NON_FLUSHABLE
    768                                                  << L2CAP_PKT_TYPE_SHIFT)));
    769   } else
    770 #endif
    771   {
    772     UINT16_TO_STREAM(
    773         p, (p_ccb->p_lcb->handle | (L2CAP_PKT_START << L2CAP_PKT_TYPE_SHIFT)));
    774   }
    775 
    776   /* Remember the HCI header length position, and save space for it */
    777   p_hci_len = p;
    778   p += 2;
    779 
    780   /* Put in L2CAP packet header */
    781   UINT16_TO_STREAM(p, L2CAP_CMD_OVERHEAD + L2CAP_CONFIG_RSP_LEN + rej_len);
    782   UINT16_TO_STREAM(p, L2CAP_SIGNALLING_CID);
    783 
    784   /* Put in L2CAP command header */
    785   UINT8_TO_STREAM(p, L2CAP_CMD_CONFIG_RSP);
    786   UINT8_TO_STREAM(p, p_ccb->remote_id);
    787 
    788   UINT16_TO_STREAM(p, L2CAP_CONFIG_RSP_LEN + rej_len);
    789 
    790   UINT16_TO_STREAM(p, p_ccb->remote_cid);
    791   UINT16_TO_STREAM(p, 0); /* Flags = 0 (no continuation) */
    792   UINT16_TO_STREAM(p, L2CAP_CFG_UNKNOWN_OPTIONS);
    793 
    794   buf_space = rej_len;
    795 
    796   /* Now, put the rejected options */
    797   p_data_end = p_data + data_len;
    798   while (p_data < p_data_end) {
    799     cfg_code = *p_data;
    800     cfg_len = *(p_data + 1);
    801 
    802     switch (cfg_code & 0x7F) {
    803       /* skip known options */
    804       case L2CAP_CFG_TYPE_MTU:
    805       case L2CAP_CFG_TYPE_FLUSH_TOUT:
    806       case L2CAP_CFG_TYPE_QOS:
    807         p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
    808         break;
    809 
    810       /* unknown options; copy into rsp if not hints */
    811       default:
    812         /* sanity check option length */
    813         if ((cfg_len + L2CAP_CFG_OPTION_OVERHEAD) <= data_len) {
    814           if ((cfg_code & 0x80) == 0) {
    815             if (buf_space >= (cfg_len + L2CAP_CFG_OPTION_OVERHEAD)) {
    816               memcpy(p, p_data, cfg_len + L2CAP_CFG_OPTION_OVERHEAD);
    817               p += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
    818               buf_space -= (cfg_len + L2CAP_CFG_OPTION_OVERHEAD);
    819             } else {
    820               L2CAP_TRACE_WARNING("L2CAP - cfg_rej exceeds allocated buffer");
    821               p_data = p_data_end; /* force loop exit */
    822               break;
    823             }
    824           }
    825           p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
    826         }
    827         /* bad length; force loop exit */
    828         else {
    829           p_data = p_data_end;
    830         }
    831         break;
    832     }
    833   }
    834 
    835   len = (uint16_t)(p - p_hci_len - 2);
    836   UINT16_TO_STREAM(p_hci_len, len);
    837 
    838   p_buf->len = len + 4;
    839 
    840   L2CAP_TRACE_DEBUG("L2CAP - cfg_rej pkt hci_len=%d, l2cap_len=%d", len,
    841                     (L2CAP_CMD_OVERHEAD + L2CAP_CONFIG_RSP_LEN + rej_len));
    842 
    843   l2c_link_check_send_pkts(p_ccb->p_lcb, NULL, p_buf);
    844 }
    845 
    846 /*******************************************************************************
    847  *
    848  * Function         l2cu_send_peer_disc_req
    849  *
    850  * Description      Build and send an L2CAP "disconnect request" message
    851  *                  to the peer.
    852  *
    853  * Returns          void
    854  *
    855  ******************************************************************************/
    856 void l2cu_send_peer_disc_req(tL2C_CCB* p_ccb) {
    857   BT_HDR *p_buf, *p_buf2;
    858   uint8_t* p;
    859 
    860   if ((!p_ccb) || (p_ccb->p_lcb == NULL)) {
    861     L2CAP_TRACE_ERROR("%s L2CAP - ccb or lcb invalid", __func__);
    862     return;
    863   }
    864 
    865   /* Create an identifier for this packet */
    866   p_ccb->p_lcb->id++;
    867   l2cu_adj_id(p_ccb->p_lcb, L2CAP_ADJ_ID);
    868 
    869   p_ccb->local_id = p_ccb->p_lcb->id;
    870 
    871   p_buf = l2cu_build_header(p_ccb->p_lcb, L2CAP_DISC_REQ_LEN,
    872                             L2CAP_CMD_DISC_REQ, p_ccb->local_id);
    873   if (p_buf == NULL) {
    874     L2CAP_TRACE_WARNING("L2CAP - no buffer for disc_req");
    875     return;
    876   }
    877 
    878   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
    879       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
    880 
    881   UINT16_TO_STREAM(p, p_ccb->remote_cid);
    882   UINT16_TO_STREAM(p, p_ccb->local_cid);
    883 
    884   /* Move all queued data packets to the LCB. In FCR mode, assume the higher
    885      layer checks that all buffers are sent before disconnecting.
    886   */
    887   if (p_ccb->peer_cfg.fcr.mode == L2CAP_FCR_BASIC_MODE) {
    888     while ((p_buf2 = (BT_HDR*)fixed_queue_try_dequeue(p_ccb->xmit_hold_q)) !=
    889            NULL) {
    890       l2cu_set_acl_hci_header(p_buf2, p_ccb);
    891       l2c_link_check_send_pkts(p_ccb->p_lcb, p_ccb, p_buf2);
    892     }
    893   }
    894 
    895   l2c_link_check_send_pkts(p_ccb->p_lcb, NULL, p_buf);
    896 }
    897 
    898 /*******************************************************************************
    899  *
    900  * Function         l2cu_send_peer_disc_rsp
    901  *
    902  * Description      Build and send an L2CAP "disconnect response" message
    903  *                  to the peer.
    904  *
    905  *                  This function is passed the parameters for the disconnect
    906  *                  response instead of the CCB address, as it may be called
    907  *                  to send a disconnect response when there is no CCB.
    908  *
    909  * Returns          void
    910  *
    911  ******************************************************************************/
    912 void l2cu_send_peer_disc_rsp(tL2C_LCB* p_lcb, uint8_t remote_id,
    913                              uint16_t local_cid, uint16_t remote_cid) {
    914   BT_HDR* p_buf;
    915   uint8_t* p;
    916 
    917   p_buf = l2cu_build_header(p_lcb, L2CAP_DISC_RSP_LEN, L2CAP_CMD_DISC_RSP,
    918                             remote_id);
    919   if (p_buf == NULL) {
    920     L2CAP_TRACE_WARNING("L2CAP - no buffer for disc_rsp");
    921     return;
    922   }
    923 
    924   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
    925       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
    926 
    927   UINT16_TO_STREAM(p, local_cid);
    928   UINT16_TO_STREAM(p, remote_cid);
    929 
    930   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
    931 }
    932 
    933 /*******************************************************************************
    934  *
    935  * Function         l2cu_send_peer_echo_req
    936  *
    937  * Description      Build and send an L2CAP "echo request" message
    938  *                  to the peer. Note that we do not currently allow
    939  *                  data in the echo request.
    940  *
    941  * Returns          void
    942  *
    943  ******************************************************************************/
    944 void l2cu_send_peer_echo_req(tL2C_LCB* p_lcb, uint8_t* p_data,
    945                              uint16_t data_len) {
    946   BT_HDR* p_buf;
    947   uint8_t* p;
    948 
    949   p_lcb->id++;
    950   l2cu_adj_id(p_lcb, L2CAP_ADJ_ZERO_ID); /* check for wrap to '0' */
    951 
    952   p_buf = l2cu_build_header(p_lcb, (uint16_t)(L2CAP_ECHO_REQ_LEN + data_len),
    953                             L2CAP_CMD_ECHO_REQ, p_lcb->id);
    954   if (p_buf == NULL) {
    955     L2CAP_TRACE_WARNING("L2CAP - no buffer for echo_req");
    956     return;
    957   }
    958 
    959   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
    960       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
    961 
    962   if (data_len) {
    963     ARRAY_TO_STREAM(p, p_data, data_len);
    964   }
    965 
    966   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
    967 }
    968 
    969 /*******************************************************************************
    970  *
    971  * Function         l2cu_send_peer_echo_rsp
    972  *
    973  * Description      Build and send an L2CAP "echo response" message
    974  *                  to the peer.
    975  *
    976  * Returns          void
    977  *
    978  ******************************************************************************/
    979 void l2cu_send_peer_echo_rsp(tL2C_LCB* p_lcb, uint8_t id, uint8_t* p_data,
    980                              uint16_t data_len) {
    981   BT_HDR* p_buf;
    982   uint8_t* p;
    983   uint16_t maxlen;
    984   /* Filter out duplicate IDs or if available buffers are low (intruder
    985    * checking) */
    986   if (!id || id == p_lcb->cur_echo_id) {
    987     /* Dump this request since it is illegal */
    988     L2CAP_TRACE_WARNING("L2CAP ignoring duplicate echo request (%d)", id);
    989     return;
    990   } else
    991     p_lcb->cur_echo_id = id;
    992 
    993   uint16_t acl_data_size =
    994       controller_get_interface()->get_acl_data_size_classic();
    995   uint16_t acl_packet_size =
    996       controller_get_interface()->get_acl_packet_size_classic();
    997   /* Don't return data if it does not fit in ACL and L2CAP MTU */
    998   maxlen = (L2CAP_CMD_BUF_SIZE > acl_packet_size)
    999                ? acl_data_size
   1000                : (uint16_t)L2CAP_CMD_BUF_SIZE;
   1001   maxlen -=
   1002       (uint16_t)(BT_HDR_SIZE + HCI_DATA_PREAMBLE_SIZE + L2CAP_PKT_OVERHEAD +
   1003                  L2CAP_CMD_OVERHEAD + L2CAP_ECHO_RSP_LEN);
   1004 
   1005   if (data_len > maxlen) data_len = 0;
   1006 
   1007   p_buf = l2cu_build_header(p_lcb, (uint16_t)(L2CAP_ECHO_RSP_LEN + data_len),
   1008                             L2CAP_CMD_ECHO_RSP, id);
   1009   if (p_buf == NULL) {
   1010     L2CAP_TRACE_WARNING("L2CAP - no buffer for echo_rsp");
   1011     return;
   1012   }
   1013 
   1014   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
   1015       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
   1016 
   1017   if (data_len) {
   1018     ARRAY_TO_STREAM(p, p_data, data_len);
   1019   }
   1020 
   1021   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
   1022 }
   1023 
   1024 /*******************************************************************************
   1025  *
   1026  * Function         l2cu_send_peer_info_req
   1027  *
   1028  * Description      Build and send an L2CAP "info request" message
   1029  *                  to the peer.
   1030  * Returns          void
   1031  *
   1032  ******************************************************************************/
   1033 void l2cu_send_peer_info_req(tL2C_LCB* p_lcb, uint16_t info_type) {
   1034   BT_HDR* p_buf;
   1035   uint8_t* p;
   1036 
   1037   /* check for wrap and/or BRCM ID */
   1038   p_lcb->id++;
   1039   l2cu_adj_id(p_lcb, L2CAP_ADJ_ID);
   1040 
   1041   p_buf = l2cu_build_header(p_lcb, 2, L2CAP_CMD_INFO_REQ, p_lcb->id);
   1042   if (p_buf == NULL) {
   1043     L2CAP_TRACE_WARNING("L2CAP - no buffer for info_req");
   1044     return;
   1045   }
   1046 
   1047   L2CAP_TRACE_EVENT("l2cu_send_peer_info_req: type 0x%04x", info_type);
   1048 
   1049   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
   1050       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
   1051 
   1052   UINT16_TO_STREAM(p, info_type);
   1053 
   1054   p_lcb->w4_info_rsp = true;
   1055   alarm_set_on_mloop(p_lcb->info_resp_timer, L2CAP_WAIT_INFO_RSP_TIMEOUT_MS,
   1056                      l2c_info_resp_timer_timeout, p_lcb);
   1057 
   1058   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
   1059 }
   1060 
   1061 /*******************************************************************************
   1062  *
   1063  * Function         l2cu_send_peer_info_rsp
   1064  *
   1065  * Description      Build and send an L2CAP "info response" message
   1066  *                  to the peer.
   1067  *
   1068  * Returns          void
   1069  *
   1070  ******************************************************************************/
   1071 void l2cu_send_peer_info_rsp(tL2C_LCB* p_lcb, uint8_t remote_id,
   1072                              uint16_t info_type) {
   1073   BT_HDR* p_buf;
   1074   uint8_t* p;
   1075   uint16_t len = L2CAP_INFO_RSP_LEN;
   1076 
   1077 #if (L2CAP_CONFORMANCE_TESTING == TRUE)
   1078   if ((info_type == L2CAP_EXTENDED_FEATURES_INFO_TYPE) &&
   1079       (l2cb.test_info_resp &
   1080        (L2CAP_EXTFEA_ENH_RETRANS | L2CAP_EXTFEA_STREAM_MODE |
   1081         L2CAP_EXTFEA_NO_CRC | L2CAP_EXTFEA_EXT_FLOW_SPEC |
   1082         L2CAP_EXTFEA_FIXED_CHNLS | L2CAP_EXTFEA_EXT_WINDOW |
   1083         L2CAP_EXTFEA_UCD_RECEPTION)))
   1084 #else
   1085   if ((info_type == L2CAP_EXTENDED_FEATURES_INFO_TYPE) &&
   1086       (L2CAP_EXTFEA_SUPPORTED_MASK &
   1087        (L2CAP_EXTFEA_ENH_RETRANS | L2CAP_EXTFEA_STREAM_MODE |
   1088         L2CAP_EXTFEA_NO_CRC | L2CAP_EXTFEA_FIXED_CHNLS |
   1089         L2CAP_EXTFEA_UCD_RECEPTION)) != 0)
   1090 #endif
   1091   {
   1092     len += L2CAP_EXTENDED_FEATURES_ARRAY_SIZE;
   1093   } else if (info_type == L2CAP_FIXED_CHANNELS_INFO_TYPE) {
   1094     len += L2CAP_FIXED_CHNL_ARRAY_SIZE;
   1095   } else if (info_type == L2CAP_CONNLESS_MTU_INFO_TYPE) {
   1096     len += L2CAP_CONNLESS_MTU_INFO_SIZE;
   1097   }
   1098 
   1099   p_buf = l2cu_build_header(p_lcb, len, L2CAP_CMD_INFO_RSP, remote_id);
   1100   if (p_buf == NULL) {
   1101     L2CAP_TRACE_WARNING("L2CAP - no buffer for info_rsp");
   1102     return;
   1103   }
   1104 
   1105   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
   1106       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
   1107 
   1108   UINT16_TO_STREAM(p, info_type);
   1109 
   1110 #if (L2CAP_CONFORMANCE_TESTING == TRUE)
   1111   if ((info_type == L2CAP_EXTENDED_FEATURES_INFO_TYPE) &&
   1112       (l2cb.test_info_resp &
   1113        (L2CAP_EXTFEA_ENH_RETRANS | L2CAP_EXTFEA_STREAM_MODE |
   1114         L2CAP_EXTFEA_UCD_RECEPTION)))
   1115 #else
   1116   if ((info_type == L2CAP_EXTENDED_FEATURES_INFO_TYPE) &&
   1117       (L2CAP_EXTFEA_SUPPORTED_MASK &
   1118        (L2CAP_EXTFEA_ENH_RETRANS | L2CAP_EXTFEA_STREAM_MODE |
   1119         L2CAP_EXTFEA_UCD_RECEPTION)) != 0)
   1120 #endif
   1121   {
   1122     UINT16_TO_STREAM(p, L2CAP_INFO_RESP_RESULT_SUCCESS);
   1123     if (p_lcb->transport == BT_TRANSPORT_LE) {
   1124       /* optional data are not added for now */
   1125       UINT32_TO_STREAM(p, L2CAP_BLE_EXTFEA_MASK);
   1126     } else {
   1127 #if (L2CAP_CONFORMANCE_TESTING == TRUE)
   1128       UINT32_TO_STREAM(p, l2cb.test_info_resp);
   1129 #else
   1130 #if (L2CAP_NUM_FIXED_CHNLS > 0)
   1131       UINT32_TO_STREAM(p,
   1132                        L2CAP_EXTFEA_SUPPORTED_MASK | L2CAP_EXTFEA_FIXED_CHNLS);
   1133 #else
   1134       UINT32_TO_STREAM(p, L2CAP_EXTFEA_SUPPORTED_MASK);
   1135 #endif
   1136 #endif
   1137     }
   1138   } else if (info_type == L2CAP_FIXED_CHANNELS_INFO_TYPE) {
   1139     UINT16_TO_STREAM(p, L2CAP_INFO_RESP_RESULT_SUCCESS);
   1140     memset(p, 0, L2CAP_FIXED_CHNL_ARRAY_SIZE);
   1141 
   1142     p[0] = L2CAP_FIXED_CHNL_SIG_BIT;
   1143 
   1144     if (L2CAP_EXTFEA_SUPPORTED_MASK & L2CAP_EXTFEA_UCD_RECEPTION)
   1145       p[0] |= L2CAP_FIXED_CHNL_CNCTLESS_BIT;
   1146 
   1147 #if (L2CAP_NUM_FIXED_CHNLS > 0)
   1148     {
   1149       int xx;
   1150 
   1151       for (xx = 0; xx < L2CAP_NUM_FIXED_CHNLS; xx++) {
   1152         /* Skip fixed channels not used on BR/EDR-ACL link */
   1153         if ((xx >= L2CAP_ATT_CID - L2CAP_FIRST_FIXED_CHNL) &&
   1154             (xx <= L2CAP_SMP_CID - L2CAP_FIRST_FIXED_CHNL))
   1155           continue;
   1156 
   1157         if (l2cb.fixed_reg[xx].pL2CA_FixedConn_Cb != NULL)
   1158           p[(xx + L2CAP_FIRST_FIXED_CHNL) / 8] |=
   1159               1 << ((xx + L2CAP_FIRST_FIXED_CHNL) % 8);
   1160       }
   1161     }
   1162 #endif
   1163   } else if (info_type == L2CAP_CONNLESS_MTU_INFO_TYPE) {
   1164     UINT16_TO_STREAM(p, L2CAP_INFO_RESP_RESULT_SUCCESS);
   1165     UINT16_TO_STREAM(p, L2CAP_UCD_MTU);
   1166   } else {
   1167     UINT16_TO_STREAM(
   1168         p, L2CAP_INFO_RESP_RESULT_NOT_SUPPORTED); /* 'not supported' */
   1169   }
   1170 
   1171   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
   1172 }
   1173 
   1174 /******************************************************************************
   1175  *
   1176  * Function         l2cu_enqueue_ccb
   1177  *
   1178  * Description      queue CCB by priority. The first CCB is highest priority and
   1179  *                  is served at first. The CCB is queued to an LLCB or an LCB.
   1180  *
   1181  * Returns          None
   1182  *
   1183  ******************************************************************************/
   1184 void l2cu_enqueue_ccb(tL2C_CCB* p_ccb) {
   1185   tL2C_CCB* p_ccb1;
   1186   tL2C_CCB_Q* p_q = NULL;
   1187 
   1188   /* Find out which queue the channel is on
   1189   */
   1190   if (p_ccb->p_lcb != NULL) p_q = &p_ccb->p_lcb->ccb_queue;
   1191 
   1192   if ((!p_ccb->in_use) || (p_q == NULL)) {
   1193     L2CAP_TRACE_ERROR(
   1194         "l2cu_enqueue_ccb  CID: 0x%04x ERROR in_use: %u  p_lcb: 0x%08x",
   1195         p_ccb->local_cid, p_ccb->in_use, p_ccb->p_lcb);
   1196     return;
   1197   }
   1198 
   1199   L2CAP_TRACE_DEBUG("l2cu_enqueue_ccb CID: 0x%04x  priority: %d",
   1200                     p_ccb->local_cid, p_ccb->ccb_priority);
   1201 
   1202   /* If the queue is empty, we go at the front */
   1203   if (!p_q->p_first_ccb) {
   1204     p_q->p_first_ccb = p_q->p_last_ccb = p_ccb;
   1205     p_ccb->p_next_ccb = p_ccb->p_prev_ccb = NULL;
   1206   } else {
   1207     p_ccb1 = p_q->p_first_ccb;
   1208 
   1209     while (p_ccb1 != NULL) {
   1210       /* Insert new ccb at the end of the same priority. Lower number, higher
   1211        * priority */
   1212       if (p_ccb->ccb_priority < p_ccb1->ccb_priority) {
   1213         /* Are we at the head of the queue ? */
   1214         if (p_ccb1 == p_q->p_first_ccb)
   1215           p_q->p_first_ccb = p_ccb;
   1216         else
   1217           p_ccb1->p_prev_ccb->p_next_ccb = p_ccb;
   1218 
   1219         p_ccb->p_next_ccb = p_ccb1;
   1220         p_ccb->p_prev_ccb = p_ccb1->p_prev_ccb;
   1221         p_ccb1->p_prev_ccb = p_ccb;
   1222         break;
   1223       }
   1224 
   1225       p_ccb1 = p_ccb1->p_next_ccb;
   1226     }
   1227 
   1228     /* If we are lower then anyone in the list, we go at the end */
   1229     if (!p_ccb1) {
   1230       /* add new ccb at the end of the list */
   1231       p_q->p_last_ccb->p_next_ccb = p_ccb;
   1232 
   1233       p_ccb->p_next_ccb = NULL;
   1234       p_ccb->p_prev_ccb = p_q->p_last_ccb;
   1235       p_q->p_last_ccb = p_ccb;
   1236     }
   1237   }
   1238 
   1239 #if (L2CAP_ROUND_ROBIN_CHANNEL_SERVICE == TRUE)
   1240   /* Adding CCB into round robin service table of its LCB */
   1241   if (p_ccb->p_lcb != NULL) {
   1242     /* if this is the first channel in this priority group */
   1243     if (p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].num_ccb == 0) {
   1244       /* Set the first channel to this CCB */
   1245       p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].p_first_ccb = p_ccb;
   1246       /* Set the next serving channel in this group to this CCB */
   1247       p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].p_serve_ccb = p_ccb;
   1248       /* Initialize quota of this priority group based on its priority */
   1249       p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].quota =
   1250           L2CAP_GET_PRIORITY_QUOTA(p_ccb->ccb_priority);
   1251     }
   1252     /* increase number of channels in this group */
   1253     p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].num_ccb++;
   1254   }
   1255 #endif
   1256 }
   1257 
   1258 /******************************************************************************
   1259  *
   1260  * Function         l2cu_dequeue_ccb
   1261  *
   1262  * Description      dequeue CCB from a queue
   1263  *
   1264  * Returns          -
   1265  *
   1266  ******************************************************************************/
   1267 void l2cu_dequeue_ccb(tL2C_CCB* p_ccb) {
   1268   tL2C_CCB_Q* p_q = NULL;
   1269 
   1270   L2CAP_TRACE_DEBUG("l2cu_dequeue_ccb  CID: 0x%04x", p_ccb->local_cid);
   1271 
   1272   /* Find out which queue the channel is on
   1273   */
   1274   if (p_ccb->p_lcb != NULL) p_q = &p_ccb->p_lcb->ccb_queue;
   1275 
   1276   if ((!p_ccb->in_use) || (p_q == NULL) || (p_q->p_first_ccb == NULL)) {
   1277     L2CAP_TRACE_ERROR(
   1278         "l2cu_dequeue_ccb  CID: 0x%04x ERROR in_use: %u  p_lcb: 0x%08x  p_q: "
   1279         "0x%08x  p_q->p_first_ccb: 0x%08x",
   1280         p_ccb->local_cid, p_ccb->in_use, p_ccb->p_lcb, p_q,
   1281         p_q ? p_q->p_first_ccb : 0);
   1282     return;
   1283   }
   1284 
   1285 #if (L2CAP_ROUND_ROBIN_CHANNEL_SERVICE == TRUE)
   1286   /* Removing CCB from round robin service table of its LCB */
   1287   if (p_ccb->p_lcb != NULL) {
   1288     /* decrease number of channels in this priority group */
   1289     p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].num_ccb--;
   1290 
   1291     /* if it was the last channel in the priority group */
   1292     if (p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].num_ccb == 0) {
   1293       p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].p_first_ccb = NULL;
   1294       p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].p_serve_ccb = NULL;
   1295     } else {
   1296       /* if it is the first channel of this group */
   1297       if (p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].p_first_ccb == p_ccb) {
   1298         p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].p_first_ccb =
   1299             p_ccb->p_next_ccb;
   1300       }
   1301       /* if it is the next serving channel of this group */
   1302       if (p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].p_serve_ccb == p_ccb) {
   1303         /* simply, start serving from the first channel */
   1304         p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].p_serve_ccb =
   1305             p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].p_first_ccb;
   1306       }
   1307     }
   1308   }
   1309 #endif
   1310 
   1311   if (p_ccb == p_q->p_first_ccb) {
   1312     /* We are removing the first in a queue */
   1313     p_q->p_first_ccb = p_ccb->p_next_ccb;
   1314 
   1315     if (p_q->p_first_ccb)
   1316       p_q->p_first_ccb->p_prev_ccb = NULL;
   1317     else
   1318       p_q->p_last_ccb = NULL;
   1319   } else if (p_ccb == p_q->p_last_ccb) {
   1320     /* We are removing the last in a queue */
   1321     p_q->p_last_ccb = p_ccb->p_prev_ccb;
   1322     p_q->p_last_ccb->p_next_ccb = NULL;
   1323   } else {
   1324     /* In the middle of a chain. */
   1325     p_ccb->p_prev_ccb->p_next_ccb = p_ccb->p_next_ccb;
   1326     p_ccb->p_next_ccb->p_prev_ccb = p_ccb->p_prev_ccb;
   1327   }
   1328 
   1329   p_ccb->p_next_ccb = p_ccb->p_prev_ccb = NULL;
   1330 }
   1331 
   1332 /******************************************************************************
   1333  *
   1334  * Function         l2cu_change_pri_ccb
   1335  *
   1336  * Description
   1337  *
   1338  * Returns          -
   1339  *
   1340  ******************************************************************************/
   1341 void l2cu_change_pri_ccb(tL2C_CCB* p_ccb, tL2CAP_CHNL_PRIORITY priority) {
   1342   if (p_ccb->ccb_priority != priority) {
   1343     /* If CCB is not the only guy on the queue */
   1344     if ((p_ccb->p_next_ccb != NULL) || (p_ccb->p_prev_ccb != NULL)) {
   1345       L2CAP_TRACE_DEBUG("Update CCB list in logical link");
   1346 
   1347       /* Remove CCB from queue and re-queue it at new priority */
   1348       l2cu_dequeue_ccb(p_ccb);
   1349 
   1350       p_ccb->ccb_priority = priority;
   1351       l2cu_enqueue_ccb(p_ccb);
   1352     }
   1353 #if (L2CAP_ROUND_ROBIN_CHANNEL_SERVICE == TRUE)
   1354     else {
   1355       /* If CCB is the only guy on the queue, no need to re-enqueue */
   1356       /* update only round robin service data */
   1357       p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].num_ccb = 0;
   1358       p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].p_first_ccb = NULL;
   1359       p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].p_serve_ccb = NULL;
   1360 
   1361       p_ccb->ccb_priority = priority;
   1362 
   1363       p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].p_first_ccb = p_ccb;
   1364       p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].p_serve_ccb = p_ccb;
   1365       p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].quota =
   1366           L2CAP_GET_PRIORITY_QUOTA(p_ccb->ccb_priority);
   1367       p_ccb->p_lcb->rr_serv[p_ccb->ccb_priority].num_ccb = 1;
   1368     }
   1369 #endif
   1370   }
   1371 }
   1372 
   1373 /*******************************************************************************
   1374  *
   1375  * Function         l2cu_allocate_ccb
   1376  *
   1377  * Description      This function allocates a Channel Control Block and
   1378  *                  attaches it to a link control block. The local CID
   1379  *                  is also assigned.
   1380  *
   1381  * Returns          pointer to CCB, or NULL if none
   1382  *
   1383  ******************************************************************************/
   1384 tL2C_CCB* l2cu_allocate_ccb(tL2C_LCB* p_lcb, uint16_t cid) {
   1385   tL2C_CCB* p_ccb;
   1386   tL2C_CCB* p_prev;
   1387 
   1388   L2CAP_TRACE_DEBUG("l2cu_allocate_ccb: cid 0x%04x", cid);
   1389 
   1390   if (!l2cb.p_free_ccb_first) return (NULL);
   1391 
   1392   /* If a CID was passed in, use that, else take the first free one */
   1393   if (cid == 0) {
   1394     p_ccb = l2cb.p_free_ccb_first;
   1395     l2cb.p_free_ccb_first = p_ccb->p_next_ccb;
   1396   } else {
   1397     p_prev = NULL;
   1398 
   1399     p_ccb = &l2cb.ccb_pool[cid - L2CAP_BASE_APPL_CID];
   1400 
   1401     if (p_ccb == l2cb.p_free_ccb_first)
   1402       l2cb.p_free_ccb_first = p_ccb->p_next_ccb;
   1403     else {
   1404       for (p_prev = l2cb.p_free_ccb_first; p_prev != NULL;
   1405            p_prev = p_prev->p_next_ccb) {
   1406         if (p_prev->p_next_ccb == p_ccb) {
   1407           p_prev->p_next_ccb = p_ccb->p_next_ccb;
   1408 
   1409           if (p_ccb == l2cb.p_free_ccb_last) l2cb.p_free_ccb_last = p_prev;
   1410 
   1411           break;
   1412         }
   1413       }
   1414       if (p_prev == NULL) {
   1415         L2CAP_TRACE_ERROR(
   1416             "l2cu_allocate_ccb: could not find CCB for CID 0x%04x in the free "
   1417             "list",
   1418             cid);
   1419         return NULL;
   1420       }
   1421     }
   1422   }
   1423 
   1424   p_ccb->p_next_ccb = p_ccb->p_prev_ccb = NULL;
   1425 
   1426   p_ccb->in_use = true;
   1427 
   1428   /* Get a CID for the connection */
   1429   p_ccb->local_cid = L2CAP_BASE_APPL_CID + (uint16_t)(p_ccb - l2cb.ccb_pool);
   1430 
   1431   p_ccb->p_lcb = p_lcb;
   1432   p_ccb->p_rcb = NULL;
   1433   p_ccb->should_free_rcb = false;
   1434 
   1435   /* Set priority then insert ccb into LCB queue (if we have an LCB) */
   1436   p_ccb->ccb_priority = L2CAP_CHNL_PRIORITY_LOW;
   1437 
   1438   if (p_lcb) l2cu_enqueue_ccb(p_ccb);
   1439 
   1440   /* clear what peer wants to configure */
   1441   p_ccb->peer_cfg_bits = 0;
   1442 
   1443   /* Put in default values for configuration */
   1444   memset(&p_ccb->our_cfg, 0, sizeof(tL2CAP_CFG_INFO));
   1445   memset(&p_ccb->peer_cfg, 0, sizeof(tL2CAP_CFG_INFO));
   1446 
   1447   /* Put in default values for local/peer configurations */
   1448   p_ccb->our_cfg.flush_to = p_ccb->peer_cfg.flush_to = L2CAP_DEFAULT_FLUSH_TO;
   1449   p_ccb->our_cfg.mtu = p_ccb->peer_cfg.mtu = L2CAP_DEFAULT_MTU;
   1450   p_ccb->our_cfg.qos.service_type = p_ccb->peer_cfg.qos.service_type =
   1451       L2CAP_DEFAULT_SERV_TYPE;
   1452   p_ccb->our_cfg.qos.token_rate = p_ccb->peer_cfg.qos.token_rate =
   1453       L2CAP_DEFAULT_TOKEN_RATE;
   1454   p_ccb->our_cfg.qos.token_bucket_size = p_ccb->peer_cfg.qos.token_bucket_size =
   1455       L2CAP_DEFAULT_BUCKET_SIZE;
   1456   p_ccb->our_cfg.qos.peak_bandwidth = p_ccb->peer_cfg.qos.peak_bandwidth =
   1457       L2CAP_DEFAULT_PEAK_BANDWIDTH;
   1458   p_ccb->our_cfg.qos.latency = p_ccb->peer_cfg.qos.latency =
   1459       L2CAP_DEFAULT_LATENCY;
   1460   p_ccb->our_cfg.qos.delay_variation = p_ccb->peer_cfg.qos.delay_variation =
   1461       L2CAP_DEFAULT_DELAY;
   1462 
   1463   p_ccb->bypass_fcs = 0;
   1464   memset(&p_ccb->ertm_info, 0, sizeof(tL2CAP_ERTM_INFO));
   1465   p_ccb->peer_cfg_already_rejected = false;
   1466   p_ccb->fcr_cfg_tries = L2CAP_MAX_FCR_CFG_TRIES;
   1467 
   1468   alarm_free(p_ccb->fcrb.ack_timer);
   1469   p_ccb->fcrb.ack_timer = alarm_new("l2c_fcrb.ack_timer");
   1470 
   1471   /*  CSP408639 Fix: When L2CAP send amp move channel request or receive
   1472     * L2CEVT_AMP_MOVE_REQ do following sequence. Send channel move
   1473     * request -> Stop retrans/monitor timer -> Change channel state to
   1474    * CST_AMP_MOVING. */
   1475   alarm_free(p_ccb->fcrb.mon_retrans_timer);
   1476   p_ccb->fcrb.mon_retrans_timer = alarm_new("l2c_fcrb.mon_retrans_timer");
   1477 
   1478   p_ccb->ertm_info.preferred_mode =
   1479       L2CAP_FCR_BASIC_MODE; /* Default mode for channel is basic mode */
   1480   p_ccb->ertm_info.allowed_modes =
   1481       L2CAP_FCR_CHAN_OPT_BASIC; /* Default mode for channel is basic mode */
   1482   p_ccb->ertm_info.fcr_rx_buf_size = L2CAP_FCR_RX_BUF_SIZE;
   1483   p_ccb->ertm_info.fcr_tx_buf_size = L2CAP_FCR_TX_BUF_SIZE;
   1484   p_ccb->ertm_info.user_rx_buf_size = L2CAP_USER_RX_BUF_SIZE;
   1485   p_ccb->ertm_info.user_tx_buf_size = L2CAP_USER_TX_BUF_SIZE;
   1486   p_ccb->max_rx_mtu = L2CAP_MTU_SIZE;
   1487   p_ccb->tx_mps = L2CAP_FCR_TX_BUF_SIZE - 32;
   1488 
   1489   p_ccb->xmit_hold_q = fixed_queue_new(SIZE_MAX);
   1490   p_ccb->fcrb.srej_rcv_hold_q = fixed_queue_new(SIZE_MAX);
   1491   p_ccb->fcrb.retrans_q = fixed_queue_new(SIZE_MAX);
   1492   p_ccb->fcrb.waiting_for_ack_q = fixed_queue_new(SIZE_MAX);
   1493 
   1494   p_ccb->cong_sent = false;
   1495   p_ccb->buff_quota = 2; /* This gets set after config */
   1496 
   1497   /* If CCB was reserved Config_Done can already have some value */
   1498   if (cid == 0)
   1499     p_ccb->config_done = 0;
   1500   else {
   1501     L2CAP_TRACE_DEBUG("l2cu_allocate_ccb: cid 0x%04x config_done:0x%x", cid,
   1502                       p_ccb->config_done);
   1503   }
   1504 
   1505   p_ccb->chnl_state = CST_CLOSED;
   1506   p_ccb->flags = 0;
   1507   p_ccb->tx_data_rate = L2CAP_CHNL_DATA_RATE_LOW;
   1508   p_ccb->rx_data_rate = L2CAP_CHNL_DATA_RATE_LOW;
   1509 
   1510 #if (L2CAP_NON_FLUSHABLE_PB_INCLUDED == TRUE)
   1511   p_ccb->is_flushable = false;
   1512 #endif
   1513 
   1514   alarm_free(p_ccb->l2c_ccb_timer);
   1515   p_ccb->l2c_ccb_timer = alarm_new("l2c.l2c_ccb_timer");
   1516 
   1517   l2c_link_adjust_chnl_allocation();
   1518 
   1519   return (p_ccb);
   1520 }
   1521 
   1522 /*******************************************************************************
   1523  *
   1524  * Function         l2cu_start_post_bond_timer
   1525  *
   1526  * Description      This function starts the ACL Link inactivity timer after
   1527  *                  dedicated bonding
   1528  *                  This timer can be longer than the normal link inactivity
   1529  *                  timer for some platforms.
   1530  *
   1531  * Returns          bool  - true if idle timer started or disconnect initiated
   1532  *                          false if there's one or more pending CCB's exist
   1533  *
   1534  ******************************************************************************/
   1535 bool l2cu_start_post_bond_timer(uint16_t handle) {
   1536   tL2C_LCB* p_lcb = l2cu_find_lcb_by_handle(handle);
   1537 
   1538   if (!p_lcb) return (true);
   1539 
   1540   p_lcb->is_bonding = false;
   1541 
   1542   /* Only start timer if no control blocks allocated */
   1543   if (p_lcb->ccb_queue.p_first_ccb != NULL) return (false);
   1544 
   1545   /* If no channels on the connection, start idle timeout */
   1546   if ((p_lcb->link_state == LST_CONNECTED) ||
   1547       (p_lcb->link_state == LST_CONNECTING) ||
   1548       (p_lcb->link_state == LST_DISCONNECTING)) {
   1549     period_ms_t timeout_ms = L2CAP_BONDING_TIMEOUT * 1000;
   1550 
   1551     if (p_lcb->idle_timeout == 0) {
   1552       btsnd_hcic_disconnect(p_lcb->handle, HCI_ERR_PEER_USER);
   1553       p_lcb->link_state = LST_DISCONNECTING;
   1554       timeout_ms = L2CAP_LINK_DISCONNECT_TIMEOUT_MS;
   1555     }
   1556     alarm_set_on_mloop(p_lcb->l2c_lcb_timer, timeout_ms, l2c_lcb_timer_timeout,
   1557                        p_lcb);
   1558     return (true);
   1559   }
   1560 
   1561   return (false);
   1562 }
   1563 
   1564 /*******************************************************************************
   1565  *
   1566  * Function         l2cu_release_ccb
   1567  *
   1568  * Description      This function releases a Channel Control Block. The timer
   1569  *                  is stopped, any attached buffers freed, and the CCB is
   1570  *                  removed from the link control block.
   1571  *
   1572  * Returns          void
   1573  *
   1574  ******************************************************************************/
   1575 void l2cu_release_ccb(tL2C_CCB* p_ccb) {
   1576   tL2C_LCB* p_lcb = p_ccb->p_lcb;
   1577   tL2C_RCB* p_rcb = p_ccb->p_rcb;
   1578 
   1579   L2CAP_TRACE_DEBUG("l2cu_release_ccb: cid 0x%04x  in_use: %u",
   1580                     p_ccb->local_cid, p_ccb->in_use);
   1581 
   1582   /* If already released, could be race condition */
   1583   if (!p_ccb->in_use) return;
   1584 
   1585   if (p_rcb && (p_rcb->psm != p_rcb->real_psm)) {
   1586     btm_sec_clr_service_by_psm(p_rcb->psm);
   1587   }
   1588 
   1589   if (p_ccb->should_free_rcb) {
   1590     osi_free(p_rcb);
   1591     p_ccb->p_rcb = NULL;
   1592     p_ccb->should_free_rcb = false;
   1593   }
   1594 
   1595   btm_sec_clr_temp_auth_service(p_lcb->remote_bd_addr);
   1596 
   1597   /* Free the timer */
   1598   alarm_free(p_ccb->l2c_ccb_timer);
   1599   p_ccb->l2c_ccb_timer = NULL;
   1600 
   1601   fixed_queue_free(p_ccb->xmit_hold_q, osi_free);
   1602   p_ccb->xmit_hold_q = NULL;
   1603 
   1604   l2c_fcr_cleanup(p_ccb);
   1605 
   1606   /* Channel may not be assigned to any LCB if it was just pre-reserved */
   1607   if ((p_lcb) && ((p_ccb->local_cid >= L2CAP_BASE_APPL_CID)
   1608 #if (L2CAP_UCD_INCLUDED == TRUE)
   1609                   || (p_ccb->local_cid == L2CAP_CONNECTIONLESS_CID)
   1610 #endif
   1611                       )) {
   1612     l2cu_dequeue_ccb(p_ccb);
   1613 
   1614     /* Delink the CCB from the LCB */
   1615     p_ccb->p_lcb = NULL;
   1616   }
   1617 
   1618   /* Put the CCB back on the free pool */
   1619   if (!l2cb.p_free_ccb_first) {
   1620     l2cb.p_free_ccb_first = p_ccb;
   1621     l2cb.p_free_ccb_last = p_ccb;
   1622     p_ccb->p_next_ccb = NULL;
   1623     p_ccb->p_prev_ccb = NULL;
   1624   } else {
   1625     p_ccb->p_next_ccb = NULL;
   1626     p_ccb->p_prev_ccb = l2cb.p_free_ccb_last;
   1627     l2cb.p_free_ccb_last->p_next_ccb = p_ccb;
   1628     l2cb.p_free_ccb_last = p_ccb;
   1629   }
   1630 
   1631   /* Flag as not in use */
   1632   p_ccb->in_use = false;
   1633 
   1634   /* If no channels on the connection, start idle timeout */
   1635   if ((p_lcb) && p_lcb->in_use && (p_lcb->link_state == LST_CONNECTED)) {
   1636     if (!p_lcb->ccb_queue.p_first_ccb) {
   1637       // Closing a security channel on LE device should not start connection
   1638       // timeout
   1639       if (p_lcb->transport == BT_TRANSPORT_LE &&
   1640           p_ccb->local_cid == L2CAP_SMP_CID)
   1641         return;
   1642 
   1643       l2cu_no_dynamic_ccbs(p_lcb);
   1644     } else {
   1645       /* Link is still active, adjust channel quotas. */
   1646       l2c_link_adjust_chnl_allocation();
   1647     }
   1648   }
   1649 }
   1650 
   1651 /*******************************************************************************
   1652  *
   1653  * Function         l2cu_find_ccb_by_remote_cid
   1654  *
   1655  * Description      Look through all active CCBs on a link for a match based
   1656  *                  on the remote CID.
   1657  *
   1658  * Returns          pointer to matched CCB, or NULL if no match
   1659  *
   1660  ******************************************************************************/
   1661 tL2C_CCB* l2cu_find_ccb_by_remote_cid(tL2C_LCB* p_lcb, uint16_t remote_cid) {
   1662   tL2C_CCB* p_ccb;
   1663 
   1664   /* If LCB is NULL, look through all active links */
   1665   if (!p_lcb) {
   1666     return NULL;
   1667   } else {
   1668     for (p_ccb = p_lcb->ccb_queue.p_first_ccb; p_ccb; p_ccb = p_ccb->p_next_ccb)
   1669       if ((p_ccb->in_use) && (p_ccb->remote_cid == remote_cid)) return (p_ccb);
   1670   }
   1671 
   1672   /* If here, no match found */
   1673   return (NULL);
   1674 }
   1675 
   1676 /*******************************************************************************
   1677  *
   1678  * Function         l2cu_allocate_rcb
   1679  *
   1680  * Description      Look through the Registration Control Blocks for a free
   1681  *                  one.
   1682  *
   1683  * Returns          Pointer to the RCB or NULL if not found
   1684  *
   1685  ******************************************************************************/
   1686 tL2C_RCB* l2cu_allocate_rcb(uint16_t psm) {
   1687   tL2C_RCB* p_rcb = &l2cb.rcb_pool[0];
   1688   uint16_t xx;
   1689 
   1690   for (xx = 0; xx < MAX_L2CAP_CLIENTS; xx++, p_rcb++) {
   1691     if (!p_rcb->in_use) {
   1692       p_rcb->in_use = true;
   1693       p_rcb->psm = psm;
   1694 #if (L2CAP_UCD_INCLUDED == TRUE)
   1695       p_rcb->ucd.state = L2C_UCD_STATE_UNUSED;
   1696 #endif
   1697       return (p_rcb);
   1698     }
   1699   }
   1700 
   1701   /* If here, no free RCB found */
   1702   return (NULL);
   1703 }
   1704 
   1705 /*******************************************************************************
   1706  *
   1707  * Function         l2cu_allocate_ble_rcb
   1708  *
   1709  * Description      Look through the BLE Registration Control Blocks for a free
   1710  *                  one.
   1711  *
   1712  * Returns          Pointer to the BLE RCB or NULL if not found
   1713  *
   1714  ******************************************************************************/
   1715 tL2C_RCB* l2cu_allocate_ble_rcb(uint16_t psm) {
   1716   tL2C_RCB* p_rcb = &l2cb.ble_rcb_pool[0];
   1717   uint16_t xx;
   1718 
   1719   for (xx = 0; xx < BLE_MAX_L2CAP_CLIENTS; xx++, p_rcb++) {
   1720     if (!p_rcb->in_use) {
   1721       p_rcb->in_use = true;
   1722       p_rcb->psm = psm;
   1723 #if (L2CAP_UCD_INCLUDED == TRUE)
   1724       p_rcb->ucd.state = L2C_UCD_STATE_UNUSED;
   1725 #endif
   1726       return (p_rcb);
   1727     }
   1728   }
   1729 
   1730   /* If here, no free RCB found */
   1731   return (NULL);
   1732 }
   1733 
   1734 /*******************************************************************************
   1735  *
   1736  * Function         l2cu_release_rcb
   1737  *
   1738  * Description      Mark an RCB as no longet in use
   1739  *
   1740  * Returns          void
   1741  *
   1742  ******************************************************************************/
   1743 void l2cu_release_rcb(tL2C_RCB* p_rcb) {
   1744   p_rcb->in_use = false;
   1745   p_rcb->psm = 0;
   1746 }
   1747 
   1748 /*******************************************************************************
   1749  *
   1750  * Function         l2cu_disconnect_chnl
   1751  *
   1752  * Description      Disconnect a channel. Typically, this is due to either
   1753  *                  receiving a bad configuration,  bad packet or max_retries
   1754  *                  expiring.
   1755  *
   1756  ******************************************************************************/
   1757 void l2cu_disconnect_chnl(tL2C_CCB* p_ccb) {
   1758   uint16_t local_cid = p_ccb->local_cid;
   1759 
   1760   if (local_cid >= L2CAP_BASE_APPL_CID) {
   1761     tL2CA_DISCONNECT_IND_CB* p_disc_cb =
   1762         p_ccb->p_rcb->api.pL2CA_DisconnectInd_Cb;
   1763 
   1764     L2CAP_TRACE_WARNING("L2CAP - disconnect_chnl CID: 0x%04x", local_cid);
   1765 
   1766     l2cu_send_peer_disc_req(p_ccb);
   1767 
   1768     l2cu_release_ccb(p_ccb);
   1769 
   1770     (*p_disc_cb)(local_cid, false);
   1771   } else {
   1772     /* failure on the AMP channel, probably need to disconnect ACL */
   1773     L2CAP_TRACE_ERROR("L2CAP - disconnect_chnl CID: 0x%04x Ignored", local_cid);
   1774   }
   1775 }
   1776 
   1777 /*******************************************************************************
   1778  *
   1779  * Function         l2cu_find_rcb_by_psm
   1780  *
   1781  * Description      Look through the Registration Control Blocks to see if
   1782  *                  anyone registered to handle the PSM in question
   1783  *
   1784  * Returns          Pointer to the RCB or NULL if not found
   1785  *
   1786  ******************************************************************************/
   1787 tL2C_RCB* l2cu_find_rcb_by_psm(uint16_t psm) {
   1788   tL2C_RCB* p_rcb = &l2cb.rcb_pool[0];
   1789   uint16_t xx;
   1790 
   1791   for (xx = 0; xx < MAX_L2CAP_CLIENTS; xx++, p_rcb++) {
   1792     if ((p_rcb->in_use) && (p_rcb->psm == psm)) return (p_rcb);
   1793   }
   1794 
   1795   /* If here, no match found */
   1796   return (NULL);
   1797 }
   1798 
   1799 /*******************************************************************************
   1800  *
   1801  * Function         l2cu_find_ble_rcb_by_psm
   1802  *
   1803  * Description      Look through the BLE Registration Control Blocks to see if
   1804  *                  anyone registered to handle the PSM in question
   1805  *
   1806  * Returns          Pointer to the BLE RCB or NULL if not found
   1807  *
   1808  ******************************************************************************/
   1809 tL2C_RCB* l2cu_find_ble_rcb_by_psm(uint16_t psm) {
   1810   tL2C_RCB* p_rcb = &l2cb.ble_rcb_pool[0];
   1811   uint16_t xx;
   1812 
   1813   for (xx = 0; xx < BLE_MAX_L2CAP_CLIENTS; xx++, p_rcb++) {
   1814     if ((p_rcb->in_use) && (p_rcb->psm == psm)) return (p_rcb);
   1815   }
   1816 
   1817   /* If here, no match found */
   1818   return (NULL);
   1819 }
   1820 
   1821 /*******************************************************************************
   1822  *
   1823  * Function         l2cu_process_peer_cfg_req
   1824  *
   1825  * Description      This function is called when the peer sends us a "config
   1826  *                  request" message. It extracts the configuration of interest
   1827  *                  and saves it in the CCB.
   1828  *
   1829  *                  Note:  Negotiation of the FCR channel type is handled
   1830  *                         internally, all others are passed to the upper layer.
   1831  *
   1832  * Returns          uint8_t - L2CAP_PEER_CFG_OK if passed to upper layer,
   1833  *                            L2CAP_PEER_CFG_UNACCEPTABLE if automatically
   1834  *                                      responded to because parameters are
   1835  *                                      unnacceptable from a specification point
   1836  *                                      of view.
   1837  *                            L2CAP_PEER_CFG_DISCONNECT if no compatible channel
   1838  *                                      modes between the two devices, and shall
   1839  *                                      be closed.
   1840  *
   1841  ******************************************************************************/
   1842 uint8_t l2cu_process_peer_cfg_req(tL2C_CCB* p_ccb, tL2CAP_CFG_INFO* p_cfg) {
   1843   bool mtu_ok = true;
   1844   bool qos_type_ok = true;
   1845   bool flush_to_ok = true;
   1846   bool fcr_ok = true;
   1847   uint8_t fcr_status;
   1848 
   1849   /* Ignore FCR parameters for basic mode */
   1850   if (!p_cfg->fcr_present) p_cfg->fcr.mode = L2CAP_FCR_BASIC_MODE;
   1851 
   1852   /* Save the MTU that our peer can receive */
   1853   if (p_cfg->mtu_present) {
   1854     /* Make sure MTU is at least the minimum */
   1855     if (p_cfg->mtu >= L2CAP_MIN_MTU) {
   1856       /* In basic mode, limit the MTU to our buffer size */
   1857       if ((p_cfg->fcr_present == false) && (p_cfg->mtu > L2CAP_MTU_SIZE))
   1858         p_cfg->mtu = L2CAP_MTU_SIZE;
   1859 
   1860       /* Save the accepted value in case of renegotiation */
   1861       p_ccb->peer_cfg.mtu = p_cfg->mtu;
   1862       p_ccb->peer_cfg.mtu_present = true;
   1863       p_ccb->peer_cfg_bits |= L2CAP_CH_CFG_MASK_MTU;
   1864     } else /* Illegal MTU value */
   1865     {
   1866       p_cfg->mtu = L2CAP_MIN_MTU;
   1867       mtu_ok = false;
   1868     }
   1869   }
   1870   /* Reload mtu from a previously accepted config request */
   1871   else if (p_ccb->peer_cfg.mtu_present) {
   1872     p_cfg->mtu_present = true;
   1873     p_cfg->mtu = p_ccb->peer_cfg.mtu;
   1874   }
   1875 
   1876   /* Verify that the flush timeout is a valid value (0 is illegal) */
   1877   if (p_cfg->flush_to_present) {
   1878     if (!p_cfg->flush_to) {
   1879       p_cfg->flush_to = 0xFFFF; /* Infinite retransmissions (spec default) */
   1880       flush_to_ok = false;
   1881     } else /* Save the accepted value in case of renegotiation */
   1882     {
   1883       p_ccb->peer_cfg.flush_to_present = true;
   1884       p_ccb->peer_cfg.flush_to = p_cfg->flush_to;
   1885       p_ccb->peer_cfg_bits |= L2CAP_CH_CFG_MASK_FLUSH_TO;
   1886     }
   1887   }
   1888   /* Reload flush_to from a previously accepted config request */
   1889   else if (p_ccb->peer_cfg.flush_to_present) {
   1890     p_cfg->flush_to_present = true;
   1891     p_cfg->flush_to = p_ccb->peer_cfg.flush_to;
   1892   }
   1893 
   1894   /* Save the QOS settings the the peer is using */
   1895   if (p_cfg->qos_present) {
   1896     /* Make sure service type is not a reserved value; otherwise let upper
   1897        layer decide if acceptable
   1898     */
   1899     if (p_cfg->qos.service_type <= GUARANTEED) {
   1900       p_ccb->peer_cfg.qos = p_cfg->qos;
   1901       p_ccb->peer_cfg.qos_present = true;
   1902       p_ccb->peer_cfg_bits |= L2CAP_CH_CFG_MASK_QOS;
   1903     } else /* Illegal service type value */
   1904     {
   1905       p_cfg->qos.service_type = BEST_EFFORT;
   1906       qos_type_ok = false;
   1907     }
   1908   }
   1909   /* Reload QOS from a previously accepted config request */
   1910   else if (p_ccb->peer_cfg.qos_present) {
   1911     p_cfg->qos_present = true;
   1912     p_cfg->qos = p_ccb->peer_cfg.qos;
   1913   }
   1914 
   1915   fcr_status = l2c_fcr_process_peer_cfg_req(p_ccb, p_cfg);
   1916   if (fcr_status == L2CAP_PEER_CFG_DISCONNECT) {
   1917     /* Notify caller to disconnect the channel (incompatible modes) */
   1918     p_cfg->result = L2CAP_CFG_FAILED_NO_REASON;
   1919     p_cfg->mtu_present = p_cfg->qos_present = p_cfg->flush_to_present = 0;
   1920 
   1921     return (L2CAP_PEER_CFG_DISCONNECT);
   1922   }
   1923 
   1924   fcr_ok = (fcr_status == L2CAP_PEER_CFG_OK);
   1925 
   1926   /* Return any unacceptable parameters */
   1927   if (mtu_ok && flush_to_ok && qos_type_ok && fcr_ok) {
   1928     l2cu_adjust_out_mps(p_ccb);
   1929     return (L2CAP_PEER_CFG_OK);
   1930   } else {
   1931     p_cfg->result = L2CAP_CFG_UNACCEPTABLE_PARAMS;
   1932 
   1933     if (mtu_ok) p_cfg->mtu_present = false;
   1934     if (flush_to_ok) p_cfg->flush_to_present = false;
   1935     if (qos_type_ok) p_cfg->qos_present = false;
   1936     if (fcr_ok) p_cfg->fcr_present = false;
   1937 
   1938     return (L2CAP_PEER_CFG_UNACCEPTABLE);
   1939   }
   1940 }
   1941 
   1942 /*******************************************************************************
   1943  *
   1944  * Function         l2cu_process_peer_cfg_rsp
   1945  *
   1946  * Description      This function is called when the peer sends us a "config
   1947  *                  response" message. It extracts the configuration of interest
   1948  *                  and saves it in the CCB.
   1949  *
   1950  * Returns          void
   1951  *
   1952  ******************************************************************************/
   1953 void l2cu_process_peer_cfg_rsp(tL2C_CCB* p_ccb, tL2CAP_CFG_INFO* p_cfg) {
   1954   /* If we wanted QoS and the peer sends us a positive response with QoS, use
   1955    * his values */
   1956   if ((p_cfg->qos_present) && (p_ccb->our_cfg.qos_present))
   1957     p_ccb->our_cfg.qos = p_cfg->qos;
   1958 
   1959   if (p_cfg->fcr_present) {
   1960     /* Save the retransmission and monitor timeout values */
   1961     if (p_cfg->fcr.mode == L2CAP_FCR_ERTM_MODE) {
   1962       p_ccb->peer_cfg.fcr.rtrans_tout = p_cfg->fcr.rtrans_tout;
   1963       p_ccb->peer_cfg.fcr.mon_tout = p_cfg->fcr.mon_tout;
   1964     }
   1965 
   1966     /* Calculate the max number of packets for which we can delay sending an ack
   1967      */
   1968     if (p_cfg->fcr.tx_win_sz < p_ccb->our_cfg.fcr.tx_win_sz)
   1969       p_ccb->fcrb.max_held_acks = p_cfg->fcr.tx_win_sz / 3;
   1970     else
   1971       p_ccb->fcrb.max_held_acks = p_ccb->our_cfg.fcr.tx_win_sz / 3;
   1972 
   1973     L2CAP_TRACE_DEBUG(
   1974         "l2cu_process_peer_cfg_rsp(): peer tx_win_sz: %d, our tx_win_sz: %d, "
   1975         "max_held_acks: %d",
   1976         p_cfg->fcr.tx_win_sz, p_ccb->our_cfg.fcr.tx_win_sz,
   1977         p_ccb->fcrb.max_held_acks);
   1978   }
   1979 }
   1980 
   1981 /*******************************************************************************
   1982  *
   1983  * Function         l2cu_process_our_cfg_req
   1984  *
   1985  * Description      This function is called when we send a "config request"
   1986  *                  message. It extracts the configuration of interest and saves
   1987  *                  it in the CCB.
   1988  *
   1989  * Returns          void
   1990  *
   1991  ******************************************************************************/
   1992 void l2cu_process_our_cfg_req(tL2C_CCB* p_ccb, tL2CAP_CFG_INFO* p_cfg) {
   1993   tL2C_LCB* p_lcb;
   1994   uint16_t hci_flush_to;
   1995 
   1996   /* Save the QOS settings we are using for transmit */
   1997   if (p_cfg->qos_present) {
   1998     p_ccb->our_cfg.qos_present = true;
   1999     p_ccb->our_cfg.qos = p_cfg->qos;
   2000   }
   2001 
   2002   if (p_cfg->fcr_present) {
   2003     /* Override FCR options if attempting streaming or basic */
   2004     if (p_cfg->fcr.mode == L2CAP_FCR_BASIC_MODE)
   2005       memset(&p_cfg->fcr, 0, sizeof(tL2CAP_FCR_OPTS));
   2006     else {
   2007       /* On BR/EDR, timer values are zero in config request */
   2008       /* On class 2 AMP, timer value in config request shall be non-0 processing
   2009        * time */
   2010       /*                 timer value in config response shall be greater than
   2011        * received processing time */
   2012       p_cfg->fcr.mon_tout = p_cfg->fcr.rtrans_tout = 0;
   2013 
   2014       if (p_cfg->fcr.mode == L2CAP_FCR_STREAM_MODE)
   2015         p_cfg->fcr.max_transmit = p_cfg->fcr.tx_win_sz = 0;
   2016     }
   2017 
   2018     /* Set the threshold to send acks (may be updated in the cfg response) */
   2019     p_ccb->fcrb.max_held_acks = p_cfg->fcr.tx_win_sz / 3;
   2020 
   2021     /* Include FCS option only if peer can handle it */
   2022     if (p_ccb->p_lcb->peer_ext_fea & L2CAP_EXTFEA_NO_CRC) {
   2023       /* FCS check can be bypassed if peer also desires to bypass */
   2024       if (p_cfg->fcs_present && p_cfg->fcs == L2CAP_CFG_FCS_BYPASS)
   2025         p_ccb->bypass_fcs |= L2CAP_CFG_FCS_OUR;
   2026     } else
   2027       p_cfg->fcs_present = false;
   2028   } else {
   2029     p_cfg->fcr.mode = L2CAP_FCR_BASIC_MODE;
   2030   }
   2031 
   2032   p_ccb->our_cfg.fcr.mode = p_cfg->fcr.mode;
   2033   p_ccb->our_cfg.fcr_present = p_cfg->fcr_present;
   2034 
   2035   /* Check the flush timeout. If it is lower than the current one used */
   2036   /* then we need to adjust the flush timeout sent to the controller   */
   2037   if (p_cfg->flush_to_present) {
   2038     if ((p_cfg->flush_to == 0) ||
   2039         (p_cfg->flush_to == L2CAP_NO_AUTOMATIC_FLUSH)) {
   2040       /* don't send invalid flush timeout */
   2041       /* SPEC: The sender of the Request shall specify its flush timeout value
   2042        */
   2043       /*       if it differs from the default value of 0xFFFF */
   2044       p_cfg->flush_to_present = false;
   2045     } else {
   2046       p_ccb->our_cfg.flush_to = p_cfg->flush_to;
   2047       p_lcb = p_ccb->p_lcb;
   2048 
   2049       if (p_cfg->flush_to < p_lcb->link_flush_tout) {
   2050         p_lcb->link_flush_tout = p_cfg->flush_to;
   2051 
   2052         /* If the timeout is within range of HCI, set the flush timeout */
   2053         if (p_cfg->flush_to <= ((HCI_MAX_AUTOMATIC_FLUSH_TIMEOUT * 5) / 8)) {
   2054           /* Convert flush timeout to 0.625 ms units, with round */
   2055           hci_flush_to = ((p_cfg->flush_to * 8) + 3) / 5;
   2056           btsnd_hcic_write_auto_flush_tout(p_lcb->handle, hci_flush_to);
   2057         }
   2058       }
   2059     }
   2060   }
   2061 }
   2062 
   2063 /*******************************************************************************
   2064  *
   2065  * Function         l2cu_process_our_cfg_rsp
   2066  *
   2067  * Description      This function is called when we send the peer a "config
   2068  *                  response" message. It extracts the configuration of interest
   2069  *                  and saves it in the CCB.
   2070  *
   2071  * Returns          void
   2072  *
   2073  ******************************************************************************/
   2074 void l2cu_process_our_cfg_rsp(tL2C_CCB* p_ccb, tL2CAP_CFG_INFO* p_cfg) {
   2075   /* If peer wants QoS, we are allowed to change the values in a positive
   2076    * response */
   2077   if ((p_cfg->qos_present) && (p_ccb->peer_cfg.qos_present))
   2078     p_ccb->peer_cfg.qos = p_cfg->qos;
   2079   else
   2080     p_cfg->qos_present = false;
   2081 
   2082   l2c_fcr_adj_our_rsp_options(p_ccb, p_cfg);
   2083 }
   2084 
   2085 /*******************************************************************************
   2086  *
   2087  * Function         l2cu_device_reset
   2088  *
   2089  * Description      This function is called when reset of the device is
   2090  *                  completed.  For all active connection simulate HCI_DISC
   2091  *
   2092  * Returns          void
   2093  *
   2094  ******************************************************************************/
   2095 void l2cu_device_reset(void) {
   2096   int xx;
   2097   tL2C_LCB* p_lcb = &l2cb.lcb_pool[0];
   2098 
   2099   for (xx = 0; xx < MAX_L2CAP_LINKS; xx++, p_lcb++) {
   2100     if ((p_lcb->in_use) && (p_lcb->handle != HCI_INVALID_HANDLE)) {
   2101       l2c_link_hci_disc_comp(p_lcb->handle, (uint8_t)-1);
   2102     }
   2103   }
   2104   l2cb.is_ble_connecting = false;
   2105 }
   2106 
   2107 /*******************************************************************************
   2108  *
   2109  * Function         l2cu_create_conn
   2110  *
   2111  * Description      This function initiates an acl connection via HCI
   2112  *
   2113  * Returns          true if successful, false if get buffer fails.
   2114  *
   2115  ******************************************************************************/
   2116 bool l2cu_create_conn(tL2C_LCB* p_lcb, tBT_TRANSPORT transport) {
   2117   uint8_t phy = controller_get_interface()->get_le_all_initiating_phys();
   2118   return l2cu_create_conn(p_lcb, transport, phy);
   2119 }
   2120 
   2121 bool l2cu_create_conn(tL2C_LCB* p_lcb, tBT_TRANSPORT transport,
   2122                       uint8_t initiating_phys) {
   2123   int xx;
   2124   tL2C_LCB* p_lcb_cur = &l2cb.lcb_pool[0];
   2125 #if (BTM_SCO_INCLUDED == TRUE)
   2126   bool is_sco_active;
   2127 #endif
   2128 
   2129   tBT_DEVICE_TYPE dev_type;
   2130   tBLE_ADDR_TYPE addr_type;
   2131 
   2132   BTM_ReadDevInfo(p_lcb->remote_bd_addr, &dev_type, &addr_type);
   2133 
   2134   if (transport == BT_TRANSPORT_LE) {
   2135     if (!controller_get_interface()->supports_ble()) return false;
   2136 
   2137     p_lcb->ble_addr_type = addr_type;
   2138     p_lcb->transport = BT_TRANSPORT_LE;
   2139     p_lcb->initiating_phys = initiating_phys;
   2140 
   2141     return (l2cble_create_conn(p_lcb));
   2142   }
   2143 
   2144   /* If there is a connection where we perform as a slave, try to switch roles
   2145      for this connection */
   2146   for (xx = 0, p_lcb_cur = &l2cb.lcb_pool[0]; xx < MAX_L2CAP_LINKS;
   2147        xx++, p_lcb_cur++) {
   2148     if (p_lcb_cur == p_lcb) continue;
   2149 
   2150     if ((p_lcb_cur->in_use) && (p_lcb_cur->link_role == HCI_ROLE_SLAVE)) {
   2151 #if (BTM_SCO_INCLUDED == TRUE)
   2152       /* The LMP_switch_req shall be sent only if the ACL logical transport
   2153       is in active mode, when encryption is disabled, and all synchronous
   2154       logical transports on the same physical link are disabled." */
   2155 
   2156       /* Check if there is any SCO Active on this BD Address */
   2157       is_sco_active = btm_is_sco_active_by_bdaddr(p_lcb_cur->remote_bd_addr);
   2158 
   2159       L2CAP_TRACE_API(
   2160           "l2cu_create_conn - btm_is_sco_active_by_bdaddr() is_sco_active = %s",
   2161           (is_sco_active == true) ? "true" : "false");
   2162 
   2163       if (is_sco_active == true)
   2164         continue; /* No Master Slave switch not allowed when SCO Active */
   2165 #endif
   2166       /*4_1_TODO check  if btm_cb.devcb.local_features to be used instead */
   2167       if (HCI_SWITCH_SUPPORTED(BTM_ReadLocalFeatures())) {
   2168         /* mark this lcb waiting for switch to be completed and
   2169            start switch on the other one */
   2170         p_lcb->link_state = LST_CONNECTING_WAIT_SWITCH;
   2171         p_lcb->link_role = HCI_ROLE_MASTER;
   2172 
   2173         if (BTM_SwitchRole(p_lcb_cur->remote_bd_addr, HCI_ROLE_MASTER, NULL) ==
   2174             BTM_CMD_STARTED) {
   2175           alarm_set_on_mloop(p_lcb->l2c_lcb_timer,
   2176                              L2CAP_LINK_ROLE_SWITCH_TIMEOUT_MS,
   2177                              l2c_lcb_timer_timeout, p_lcb);
   2178           return (true);
   2179         }
   2180       }
   2181     }
   2182   }
   2183 
   2184   p_lcb->link_state = LST_CONNECTING;
   2185 
   2186   return (l2cu_create_conn_after_switch(p_lcb));
   2187 }
   2188 
   2189 /*******************************************************************************
   2190  *
   2191  * Function         l2cu_get_num_hi_priority
   2192  *
   2193  * Description      Gets the number of high priority channels.
   2194  *
   2195  * Returns
   2196  *
   2197  ******************************************************************************/
   2198 uint8_t l2cu_get_num_hi_priority(void) {
   2199   uint8_t no_hi = 0;
   2200   int xx;
   2201   tL2C_LCB* p_lcb = &l2cb.lcb_pool[0];
   2202 
   2203   for (xx = 0; xx < MAX_L2CAP_LINKS; xx++, p_lcb++) {
   2204     if ((p_lcb->in_use) && (p_lcb->acl_priority == L2CAP_PRIORITY_HIGH)) {
   2205       no_hi++;
   2206     }
   2207   }
   2208   return no_hi;
   2209 }
   2210 
   2211 /*******************************************************************************
   2212  *
   2213  * Function         l2cu_create_conn_after_switch
   2214  *
   2215  * Description      This function initiates an acl connection via HCI
   2216  *                  If switch required to create connection it is already done.
   2217  *
   2218  * Returns          true if successful, false if get buffer fails.
   2219  *
   2220  ******************************************************************************/
   2221 
   2222 bool l2cu_create_conn_after_switch(tL2C_LCB* p_lcb) {
   2223   uint8_t allow_switch = HCI_CR_CONN_ALLOW_SWITCH;
   2224   tBTM_INQ_INFO* p_inq_info;
   2225   uint8_t page_scan_rep_mode;
   2226   uint8_t page_scan_mode;
   2227   uint16_t clock_offset;
   2228   uint8_t* p_features;
   2229   uint16_t num_acl = BTM_GetNumAclLinks();
   2230   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_lcb->remote_bd_addr);
   2231   uint8_t no_hi_prio_chs = l2cu_get_num_hi_priority();
   2232 
   2233   p_features = BTM_ReadLocalFeatures();
   2234 
   2235   L2CAP_TRACE_DEBUG(
   2236       "l2cu_create_conn_after_switch :%d num_acl:%d no_hi: %d is_bonding:%d",
   2237       l2cb.disallow_switch, num_acl, no_hi_prio_chs, p_lcb->is_bonding);
   2238   /* FW team says that we can participant in 4 piconets
   2239    * typically 3 piconet + 1 for scanning.
   2240    * We can enhance the code to count the number of piconets later. */
   2241   if (((!l2cb.disallow_switch && (num_acl < 3)) ||
   2242        (p_lcb->is_bonding && (no_hi_prio_chs == 0))) &&
   2243       HCI_SWITCH_SUPPORTED(p_features))
   2244     allow_switch = HCI_CR_CONN_ALLOW_SWITCH;
   2245   else
   2246     allow_switch = HCI_CR_CONN_NOT_ALLOW_SWITCH;
   2247 
   2248   p_lcb->link_state = LST_CONNECTING;
   2249 
   2250   /* Check with the BT manager if details about remote device are known */
   2251   p_inq_info = BTM_InqDbRead(p_lcb->remote_bd_addr);
   2252   if (p_inq_info != NULL) {
   2253     page_scan_rep_mode = p_inq_info->results.page_scan_rep_mode;
   2254     page_scan_mode = p_inq_info->results.page_scan_mode;
   2255     clock_offset = (uint16_t)(p_inq_info->results.clock_offset);
   2256   } else {
   2257     /* No info known. Use default settings */
   2258     page_scan_rep_mode = HCI_PAGE_SCAN_REP_MODE_R1;
   2259     page_scan_mode = HCI_MANDATARY_PAGE_SCAN_MODE;
   2260 
   2261     clock_offset = (p_dev_rec) ? p_dev_rec->clock_offset : 0;
   2262   }
   2263 
   2264   btsnd_hcic_create_conn(
   2265       p_lcb->remote_bd_addr, (HCI_PKT_TYPES_MASK_DM1 | HCI_PKT_TYPES_MASK_DH1 |
   2266                               HCI_PKT_TYPES_MASK_DM3 | HCI_PKT_TYPES_MASK_DH3 |
   2267                               HCI_PKT_TYPES_MASK_DM5 | HCI_PKT_TYPES_MASK_DH5),
   2268       page_scan_rep_mode, page_scan_mode, clock_offset, allow_switch);
   2269 
   2270   btm_acl_update_busy_level(BTM_BLI_PAGE_EVT);
   2271 
   2272   alarm_set_on_mloop(p_lcb->l2c_lcb_timer, L2CAP_LINK_CONNECT_TIMEOUT_MS,
   2273                      l2c_lcb_timer_timeout, p_lcb);
   2274 
   2275   return (true);
   2276 }
   2277 
   2278 /*******************************************************************************
   2279  *
   2280  * Function         l2cu_find_lcb_by_state
   2281  *
   2282  * Description      Look through all active LCBs for a match based on the
   2283  *                  LCB state.
   2284  *
   2285  * Returns          pointer to first matched LCB, or NULL if no match
   2286  *
   2287  ******************************************************************************/
   2288 tL2C_LCB* l2cu_find_lcb_by_state(tL2C_LINK_STATE state) {
   2289   uint16_t i;
   2290   tL2C_LCB* p_lcb = &l2cb.lcb_pool[0];
   2291 
   2292   for (i = 0; i < MAX_L2CAP_LINKS; i++, p_lcb++) {
   2293     if ((p_lcb->in_use) && (p_lcb->link_state == state)) {
   2294       return (p_lcb);
   2295     }
   2296   }
   2297 
   2298   /* If here, no match found */
   2299   return (NULL);
   2300 }
   2301 
   2302 /*******************************************************************************
   2303  *
   2304  * Function         l2cu_lcb_disconnecting
   2305  *
   2306  * Description      On each active lcb, check if the lcb is in disconnecting
   2307  *                  state, or if there are no ccb's on the lcb (implying
   2308                     idle timeout is running), or if last ccb on the link
   2309                     is in disconnecting state.
   2310  *
   2311  * Returns          true if any of above conditions met, false otherwise
   2312  *
   2313  ******************************************************************************/
   2314 bool l2cu_lcb_disconnecting(void) {
   2315   tL2C_LCB* p_lcb;
   2316   tL2C_CCB* p_ccb;
   2317   uint16_t i;
   2318   bool status = false;
   2319 
   2320   p_lcb = &l2cb.lcb_pool[0];
   2321 
   2322   for (i = 0; i < MAX_L2CAP_LINKS; i++, p_lcb++) {
   2323     if (p_lcb->in_use) {
   2324       /* no ccbs on lcb, or lcb is in disconnecting state */
   2325       if ((!p_lcb->ccb_queue.p_first_ccb) ||
   2326           (p_lcb->link_state == LST_DISCONNECTING)) {
   2327         status = true;
   2328         break;
   2329       }
   2330       /* only one ccb left on lcb */
   2331       else if (p_lcb->ccb_queue.p_first_ccb == p_lcb->ccb_queue.p_last_ccb) {
   2332         p_ccb = p_lcb->ccb_queue.p_first_ccb;
   2333 
   2334         if ((p_ccb->in_use) &&
   2335             ((p_ccb->chnl_state == CST_W4_L2CAP_DISCONNECT_RSP) ||
   2336              (p_ccb->chnl_state == CST_W4_L2CA_DISCONNECT_RSP))) {
   2337           status = true;
   2338           break;
   2339         }
   2340       }
   2341     }
   2342   }
   2343   return status;
   2344 }
   2345 
   2346 /*******************************************************************************
   2347  *
   2348  * Function         l2cu_set_acl_priority
   2349  *
   2350  * Description      Sets the transmission priority for a channel.
   2351  *                  (For initial implementation only two values are valid.
   2352  *                  L2CAP_PRIORITY_NORMAL and L2CAP_PRIORITY_HIGH).
   2353  *
   2354  * Returns          true if a valid channel, else false
   2355  *
   2356  ******************************************************************************/
   2357 
   2358 bool l2cu_set_acl_priority(const RawAddress& bd_addr, uint8_t priority,
   2359                            bool reset_after_rs) {
   2360   tL2C_LCB* p_lcb;
   2361   uint8_t* pp;
   2362   uint8_t command[HCI_BRCM_ACL_PRIORITY_PARAM_SIZE];
   2363   uint8_t vs_param;
   2364 
   2365   APPL_TRACE_EVENT("SET ACL PRIORITY %d", priority);
   2366 
   2367   /* Find the link control block for the acl channel */
   2368   p_lcb = l2cu_find_lcb_by_bd_addr(bd_addr, BT_TRANSPORT_BR_EDR);
   2369   if (p_lcb == NULL) {
   2370     L2CAP_TRACE_WARNING("L2CAP - no LCB for L2CA_SetAclPriority");
   2371     return (false);
   2372   }
   2373 
   2374   if (BTM_IS_BRCM_CONTROLLER()) {
   2375     /* Called from above L2CAP through API; send VSC if changed */
   2376     if ((!reset_after_rs && (priority != p_lcb->acl_priority)) ||
   2377         /* Called because of a master/slave role switch; if high resend VSC */
   2378         (reset_after_rs && p_lcb->acl_priority == L2CAP_PRIORITY_HIGH)) {
   2379       pp = command;
   2380 
   2381       vs_param = (priority == L2CAP_PRIORITY_HIGH) ? HCI_BRCM_ACL_PRIORITY_HIGH
   2382                                                    : HCI_BRCM_ACL_PRIORITY_LOW;
   2383 
   2384       UINT16_TO_STREAM(pp, p_lcb->handle);
   2385       UINT8_TO_STREAM(pp, vs_param);
   2386 
   2387       BTM_VendorSpecificCommand(HCI_BRCM_SET_ACL_PRIORITY,
   2388                                 HCI_BRCM_ACL_PRIORITY_PARAM_SIZE, command,
   2389                                 NULL);
   2390     }
   2391   }
   2392 
   2393   /* Adjust lmp buffer allocation for this channel if priority changed */
   2394   if (p_lcb->acl_priority != priority) {
   2395     p_lcb->acl_priority = priority;
   2396     l2c_link_adjust_allocation();
   2397   }
   2398   return (true);
   2399 }
   2400 
   2401 #if (L2CAP_NON_FLUSHABLE_PB_INCLUDED == TRUE)
   2402 /******************************************************************************
   2403  *
   2404  * Function         l2cu_set_non_flushable_pbf
   2405  *
   2406  * Description      set L2CAP_PKT_START_NON_FLUSHABLE if controller supoorts
   2407  *
   2408  * Returns          void
   2409  *
   2410  ******************************************************************************/
   2411 void l2cu_set_non_flushable_pbf(bool is_supported) {
   2412   if (is_supported)
   2413     l2cb.non_flushable_pbf =
   2414         (L2CAP_PKT_START_NON_FLUSHABLE << L2CAP_PKT_TYPE_SHIFT);
   2415   else
   2416     l2cb.non_flushable_pbf = (L2CAP_PKT_START << L2CAP_PKT_TYPE_SHIFT);
   2417 }
   2418 #endif
   2419 
   2420 /*******************************************************************************
   2421  *
   2422  * Function         l2cu_resubmit_pending_sec_req
   2423  *
   2424  * Description      This function is called when required security procedures
   2425  *                  are completed and any pending requests can be re-submitted.
   2426  *
   2427  * Returns          void
   2428  *
   2429  ******************************************************************************/
   2430 void l2cu_resubmit_pending_sec_req(const RawAddress* p_bda) {
   2431   tL2C_LCB* p_lcb;
   2432   tL2C_CCB* p_ccb;
   2433   tL2C_CCB* p_next_ccb;
   2434   int xx;
   2435 
   2436   L2CAP_TRACE_DEBUG("l2cu_resubmit_pending_sec_req  p_bda: 0x%08x", p_bda);
   2437 
   2438   /* If we are called with a BDA, only resubmit for that BDA */
   2439   if (p_bda) {
   2440     p_lcb = l2cu_find_lcb_by_bd_addr(*p_bda, BT_TRANSPORT_BR_EDR);
   2441 
   2442     /* If we don't have one, this is an error */
   2443     if (p_lcb) {
   2444       /* For all channels, send the event through their FSMs */
   2445       for (p_ccb = p_lcb->ccb_queue.p_first_ccb; p_ccb; p_ccb = p_next_ccb) {
   2446         p_next_ccb = p_ccb->p_next_ccb;
   2447         l2c_csm_execute(p_ccb, L2CEVT_SEC_RE_SEND_CMD, NULL);
   2448       }
   2449     } else {
   2450       L2CAP_TRACE_WARNING("l2cu_resubmit_pending_sec_req - unknown BD_ADDR");
   2451     }
   2452   } else {
   2453     /* No BDA pasesed in, so check all links */
   2454     for (xx = 0, p_lcb = &l2cb.lcb_pool[0]; xx < MAX_L2CAP_LINKS;
   2455          xx++, p_lcb++) {
   2456       if (p_lcb->in_use) {
   2457         /* For all channels, send the event through their FSMs */
   2458         for (p_ccb = p_lcb->ccb_queue.p_first_ccb; p_ccb; p_ccb = p_next_ccb) {
   2459           p_next_ccb = p_ccb->p_next_ccb;
   2460           l2c_csm_execute(p_ccb, L2CEVT_SEC_RE_SEND_CMD, NULL);
   2461         }
   2462       }
   2463     }
   2464   }
   2465 }
   2466 
   2467 #if (L2CAP_CONFORMANCE_TESTING == TRUE)
   2468 /*******************************************************************************
   2469  *
   2470  * Function         l2cu_set_info_rsp_mask
   2471  *
   2472  * Description      This function allows the script wrapper to change the
   2473  *                  info resp mask for conformance testing.
   2474  *
   2475  * Returns          pointer to CCB, or NULL if none
   2476  *
   2477  ******************************************************************************/
   2478 void l2cu_set_info_rsp_mask(uint32_t mask) { l2cb.test_info_resp = mask; }
   2479 #endif /* L2CAP_CONFORMANCE_TESTING */
   2480 
   2481 /*******************************************************************************
   2482  *
   2483  * Function         l2cu_adjust_out_mps
   2484  *
   2485  * Description      Sets our MPS based on current controller capabilities
   2486  *
   2487  * Returns          void
   2488  *
   2489  ******************************************************************************/
   2490 void l2cu_adjust_out_mps(tL2C_CCB* p_ccb) {
   2491   uint16_t packet_size;
   2492 
   2493   /* on the tx side MTU is selected based on packet size of the controller */
   2494   packet_size = btm_get_max_packet_size(p_ccb->p_lcb->remote_bd_addr);
   2495 
   2496   if (packet_size <= (L2CAP_PKT_OVERHEAD + L2CAP_FCR_OVERHEAD +
   2497                       L2CAP_SDU_LEN_OVERHEAD + L2CAP_FCS_LEN)) {
   2498     /* something is very wrong */
   2499     L2CAP_TRACE_ERROR(
   2500         "l2cu_adjust_out_mps bad packet size: %u  will use MPS: %u",
   2501         packet_size, p_ccb->peer_cfg.fcr.mps);
   2502     p_ccb->tx_mps = p_ccb->peer_cfg.fcr.mps;
   2503   } else {
   2504     packet_size -= (L2CAP_PKT_OVERHEAD + L2CAP_FCR_OVERHEAD +
   2505                     L2CAP_SDU_LEN_OVERHEAD + L2CAP_FCS_LEN);
   2506 
   2507     /* We try to negotiate MTU that each packet can be split into whole
   2508     number of max packets.  For example if link is 1.2 max packet size is 339
   2509     bytes.
   2510     At first calculate how many whole packets it is.  MAX L2CAP is 1691 + 4
   2511     overhead.
   2512     1695, that will be 5 Dh5 packets.  Now maximum L2CAP packet is
   2513     5 * 339 = 1695. Minus 4 bytes L2CAP header 1691.
   2514 
   2515     For EDR 2.0 packet size is 1027.  So we better send RFCOMM packet as 1 3DH5
   2516     packet
   2517     1 * 1027 = 1027.  Minus 4 bytes L2CAP header 1023.  */
   2518     if (p_ccb->peer_cfg.fcr.mps >= packet_size)
   2519       p_ccb->tx_mps = p_ccb->peer_cfg.fcr.mps / packet_size * packet_size;
   2520     else
   2521       p_ccb->tx_mps = p_ccb->peer_cfg.fcr.mps;
   2522 
   2523     L2CAP_TRACE_DEBUG(
   2524         "l2cu_adjust_out_mps use %d   Based on peer_cfg.fcr.mps: %u  "
   2525         "packet_size: %u",
   2526         p_ccb->tx_mps, p_ccb->peer_cfg.fcr.mps, packet_size);
   2527   }
   2528 }
   2529 
   2530 /*******************************************************************************
   2531  *
   2532  * Function         l2cu_initialize_fixed_ccb
   2533  *
   2534  * Description      Initialize a fixed channel's CCB
   2535  *
   2536  * Returns          true or false
   2537  *
   2538  ******************************************************************************/
   2539 bool l2cu_initialize_fixed_ccb(tL2C_LCB* p_lcb, uint16_t fixed_cid,
   2540                                tL2CAP_FCR_OPTS* p_fcr) {
   2541 #if (L2CAP_NUM_FIXED_CHNLS > 0)
   2542   tL2C_CCB* p_ccb;
   2543 
   2544   /* If we already have a CCB, then simply return */
   2545   p_ccb = p_lcb->p_fixed_ccbs[fixed_cid - L2CAP_FIRST_FIXED_CHNL];
   2546   if ((p_ccb != NULL) && p_ccb->in_use) {
   2547     /*
   2548      * NOTE: The "in_use" check is needed to ignore leftover entries
   2549      * that have been already released by l2cu_release_ccb().
   2550      */
   2551     return (true);
   2552   }
   2553 
   2554   p_ccb = l2cu_allocate_ccb(NULL, 0);
   2555   if (p_ccb == NULL) return (false);
   2556 
   2557   alarm_cancel(p_lcb->l2c_lcb_timer);
   2558 
   2559   /* Set CID for the connection */
   2560   p_ccb->local_cid = fixed_cid;
   2561   p_ccb->remote_cid = fixed_cid;
   2562 
   2563   p_ccb->is_flushable = false;
   2564 
   2565   if (p_fcr) {
   2566     /* Set the FCR parameters. For now, we will use default pools */
   2567     p_ccb->our_cfg.fcr = p_ccb->peer_cfg.fcr = *p_fcr;
   2568 
   2569     p_ccb->ertm_info.fcr_rx_buf_size = L2CAP_FCR_RX_BUF_SIZE;
   2570     p_ccb->ertm_info.fcr_tx_buf_size = L2CAP_FCR_TX_BUF_SIZE;
   2571     p_ccb->ertm_info.user_rx_buf_size = L2CAP_USER_RX_BUF_SIZE;
   2572     p_ccb->ertm_info.user_tx_buf_size = L2CAP_USER_TX_BUF_SIZE;
   2573 
   2574     p_ccb->fcrb.max_held_acks = p_fcr->tx_win_sz / 3;
   2575   }
   2576 
   2577   /* Link ccb to lcb and lcb to ccb */
   2578   p_lcb->p_fixed_ccbs[fixed_cid - L2CAP_FIRST_FIXED_CHNL] = p_ccb;
   2579   p_ccb->p_lcb = p_lcb;
   2580 
   2581   /* There is no configuration, so if the link is up, the channel is up */
   2582   if (p_lcb->link_state == LST_CONNECTED) p_ccb->chnl_state = CST_OPEN;
   2583 
   2584   /* Set the default idle timeout value to use */
   2585   p_ccb->fixed_chnl_idle_tout =
   2586       l2cb.fixed_reg[fixed_cid - L2CAP_FIRST_FIXED_CHNL].default_idle_tout;
   2587 #endif
   2588   return (true);
   2589 }
   2590 
   2591 /*******************************************************************************
   2592  *
   2593  * Function         l2cu_no_dynamic_ccbs
   2594  *
   2595  * Description      Handles the case when there are no more dynamic CCBs. If
   2596  *                  there are any fixed CCBs, start the longest of the fixed CCB
   2597  *                  timeouts, otherwise start the default link idle timeout or
   2598  *                  disconnect.
   2599  *
   2600  * Returns          void
   2601  *
   2602  ******************************************************************************/
   2603 void l2cu_no_dynamic_ccbs(tL2C_LCB* p_lcb) {
   2604   tBTM_STATUS rc;
   2605   period_ms_t timeout_ms = p_lcb->idle_timeout * 1000;
   2606   bool start_timeout = true;
   2607 
   2608 #if (L2CAP_NUM_FIXED_CHNLS > 0)
   2609   int xx;
   2610 
   2611   for (xx = 0; xx < L2CAP_NUM_FIXED_CHNLS; xx++) {
   2612     if ((p_lcb->p_fixed_ccbs[xx] != NULL) &&
   2613         (p_lcb->p_fixed_ccbs[xx]->fixed_chnl_idle_tout * 1000 > timeout_ms)) {
   2614       timeout_ms = p_lcb->p_fixed_ccbs[xx]->fixed_chnl_idle_tout * 1000;
   2615     }
   2616   }
   2617 #endif
   2618 
   2619   /* If the link is pairing, do not mess with the timeouts */
   2620   if (p_lcb->is_bonding) return;
   2621 
   2622   if (timeout_ms == 0) {
   2623     L2CAP_TRACE_DEBUG(
   2624         "l2cu_no_dynamic_ccbs() IDLE timer 0, disconnecting link");
   2625 
   2626     rc = btm_sec_disconnect(p_lcb->handle, HCI_ERR_PEER_USER);
   2627     if (rc == BTM_CMD_STARTED) {
   2628       l2cu_process_fixed_disc_cback(p_lcb);
   2629       p_lcb->link_state = LST_DISCONNECTING;
   2630       timeout_ms = L2CAP_LINK_DISCONNECT_TIMEOUT_MS;
   2631     } else if (rc == BTM_SUCCESS) {
   2632       l2cu_process_fixed_disc_cback(p_lcb);
   2633       /* BTM SEC will make sure that link is release (probably after pairing is
   2634        * done) */
   2635       p_lcb->link_state = LST_DISCONNECTING;
   2636       start_timeout = false;
   2637     } else if (p_lcb->is_bonding) {
   2638       btsnd_hcic_disconnect(p_lcb->handle, HCI_ERR_PEER_USER);
   2639       l2cu_process_fixed_disc_cback(p_lcb);
   2640       p_lcb->link_state = LST_DISCONNECTING;
   2641       timeout_ms = L2CAP_LINK_DISCONNECT_TIMEOUT_MS;
   2642     } else {
   2643       /* probably no buffer to send disconnect */
   2644       timeout_ms = BT_1SEC_TIMEOUT_MS;
   2645     }
   2646   }
   2647 
   2648   if (start_timeout) {
   2649     L2CAP_TRACE_DEBUG("%s starting IDLE timeout: %d ms", __func__, timeout_ms);
   2650     alarm_set_on_mloop(p_lcb->l2c_lcb_timer, timeout_ms, l2c_lcb_timer_timeout,
   2651                        p_lcb);
   2652   } else {
   2653     alarm_cancel(p_lcb->l2c_lcb_timer);
   2654   }
   2655 }
   2656 
   2657 #if (L2CAP_NUM_FIXED_CHNLS > 0)
   2658 /*******************************************************************************
   2659  *
   2660  * Function         l2cu_process_fixed_chnl_resp
   2661  *
   2662  * Description      handle a fixed channel response (or lack thereof)
   2663  *                  if the link failed, or a fixed channel response was
   2664  *                  not received, the bitfield is all zeros.
   2665  *
   2666  ******************************************************************************/
   2667 void l2cu_process_fixed_chnl_resp(tL2C_LCB* p_lcb) {
   2668   if (p_lcb->transport == BT_TRANSPORT_BR_EDR) {
   2669     /* ignore all not assigned BR/EDR channels */
   2670     p_lcb->peer_chnl_mask[0] &=
   2671         (L2CAP_FIXED_CHNL_SIG_BIT | L2CAP_FIXED_CHNL_CNCTLESS_BIT |
   2672          L2CAP_FIXED_CHNL_SMP_BR_BIT);
   2673   } else
   2674     p_lcb->peer_chnl_mask[0] = l2cb.l2c_ble_fixed_chnls_mask;
   2675 
   2676   /* Tell all registered fixed channels about the connection */
   2677   for (int xx = 0; xx < L2CAP_NUM_FIXED_CHNLS; xx++) {
   2678     /* skip sending LE fix channel callbacks on BR/EDR links */
   2679     if (p_lcb->transport == BT_TRANSPORT_BR_EDR &&
   2680         xx + L2CAP_FIRST_FIXED_CHNL >= L2CAP_ATT_CID &&
   2681         xx + L2CAP_FIRST_FIXED_CHNL <= L2CAP_SMP_CID)
   2682       continue;
   2683     if (l2cb.fixed_reg[xx].pL2CA_FixedConn_Cb != NULL) {
   2684       if (p_lcb->peer_chnl_mask[(xx + L2CAP_FIRST_FIXED_CHNL) / 8] &
   2685           (1 << ((xx + L2CAP_FIRST_FIXED_CHNL) % 8))) {
   2686         if (p_lcb->p_fixed_ccbs[xx])
   2687           p_lcb->p_fixed_ccbs[xx]->chnl_state = CST_OPEN;
   2688         (*l2cb.fixed_reg[xx].pL2CA_FixedConn_Cb)(xx + L2CAP_FIRST_FIXED_CHNL,
   2689                                                  p_lcb->remote_bd_addr, true, 0,
   2690                                                  p_lcb->transport);
   2691       } else {
   2692         (*l2cb.fixed_reg[xx].pL2CA_FixedConn_Cb)(
   2693             xx + L2CAP_FIRST_FIXED_CHNL, p_lcb->remote_bd_addr, false,
   2694             p_lcb->disc_reason, p_lcb->transport);
   2695 
   2696         if (p_lcb->p_fixed_ccbs[xx]) {
   2697           l2cu_release_ccb(p_lcb->p_fixed_ccbs[xx]);
   2698           p_lcb->p_fixed_ccbs[xx] = NULL;
   2699         }
   2700       }
   2701     }
   2702   }
   2703 }
   2704 #endif
   2705 
   2706 /*******************************************************************************
   2707  *
   2708  * Function         l2cu_process_fixed_disc_cback
   2709  *
   2710  * Description      send l2cap fixed channel disconnection callback to the
   2711  *                  application
   2712  *
   2713  * Returns          void
   2714  *
   2715  ******************************************************************************/
   2716 void l2cu_process_fixed_disc_cback(tL2C_LCB* p_lcb) {
   2717 #if (L2CAP_NUM_FIXED_CHNLS > 0)
   2718 
   2719   /* Select peer channels mask to use depending on transport */
   2720   uint8_t peer_channel_mask = p_lcb->peer_chnl_mask[0];
   2721 
   2722   // For LE, reset the stored peer channel mask
   2723   if (p_lcb->transport == BT_TRANSPORT_LE) p_lcb->peer_chnl_mask[0] = 0;
   2724 
   2725   for (int xx = 0; xx < L2CAP_NUM_FIXED_CHNLS; xx++) {
   2726     if (p_lcb->p_fixed_ccbs[xx]) {
   2727       if (p_lcb->p_fixed_ccbs[xx] != p_lcb->p_pending_ccb) {
   2728         tL2C_CCB* p_l2c_chnl_ctrl_block;
   2729         p_l2c_chnl_ctrl_block = p_lcb->p_fixed_ccbs[xx];
   2730         p_lcb->p_fixed_ccbs[xx] = NULL;
   2731         l2cu_release_ccb(p_l2c_chnl_ctrl_block);
   2732         (*l2cb.fixed_reg[xx].pL2CA_FixedConn_Cb)(
   2733             xx + L2CAP_FIRST_FIXED_CHNL, p_lcb->remote_bd_addr, false,
   2734             p_lcb->disc_reason, p_lcb->transport);
   2735       }
   2736     } else if ((peer_channel_mask & (1 << (xx + L2CAP_FIRST_FIXED_CHNL))) &&
   2737                (l2cb.fixed_reg[xx].pL2CA_FixedConn_Cb != NULL))
   2738       (*l2cb.fixed_reg[xx].pL2CA_FixedConn_Cb)(
   2739           xx + L2CAP_FIRST_FIXED_CHNL, p_lcb->remote_bd_addr, false,
   2740           p_lcb->disc_reason, p_lcb->transport);
   2741   }
   2742 #endif
   2743 }
   2744 
   2745 /*******************************************************************************
   2746  *
   2747  * Function         l2cu_send_peer_ble_par_req
   2748  *
   2749  * Description      Build and send a BLE parameter update request message
   2750  *                  to the peer.
   2751  *
   2752  * Returns          void
   2753  *
   2754  ******************************************************************************/
   2755 void l2cu_send_peer_ble_par_req(tL2C_LCB* p_lcb, uint16_t min_int,
   2756                                 uint16_t max_int, uint16_t latency,
   2757                                 uint16_t timeout) {
   2758   BT_HDR* p_buf;
   2759   uint8_t* p;
   2760 
   2761   /* Create an identifier for this packet */
   2762   p_lcb->id++;
   2763   l2cu_adj_id(p_lcb, L2CAP_ADJ_ID);
   2764 
   2765   p_buf = l2cu_build_header(p_lcb, L2CAP_CMD_BLE_UPD_REQ_LEN,
   2766                             L2CAP_CMD_BLE_UPDATE_REQ, p_lcb->id);
   2767   if (p_buf == NULL) {
   2768     L2CAP_TRACE_WARNING("l2cu_send_peer_ble_par_req - no buffer");
   2769     return;
   2770   }
   2771 
   2772   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
   2773       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
   2774 
   2775   UINT16_TO_STREAM(p, min_int);
   2776   UINT16_TO_STREAM(p, max_int);
   2777   UINT16_TO_STREAM(p, latency);
   2778   UINT16_TO_STREAM(p, timeout);
   2779 
   2780   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
   2781 }
   2782 
   2783 /*******************************************************************************
   2784  *
   2785  * Function         l2cu_send_peer_ble_par_rsp
   2786  *
   2787  * Description      Build and send a BLE parameter update response message
   2788  *                  to the peer.
   2789  *
   2790  * Returns          void
   2791  *
   2792  ******************************************************************************/
   2793 void l2cu_send_peer_ble_par_rsp(tL2C_LCB* p_lcb, uint16_t reason,
   2794                                 uint8_t rem_id) {
   2795   BT_HDR* p_buf;
   2796   uint8_t* p;
   2797 
   2798   p_buf = l2cu_build_header(p_lcb, L2CAP_CMD_BLE_UPD_RSP_LEN,
   2799                             L2CAP_CMD_BLE_UPDATE_RSP, rem_id);
   2800   if (p_buf == NULL) {
   2801     L2CAP_TRACE_WARNING("l2cu_send_peer_ble_par_rsp - no buffer");
   2802     return;
   2803   }
   2804 
   2805   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
   2806       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
   2807 
   2808   UINT16_TO_STREAM(p, reason);
   2809 
   2810   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
   2811 }
   2812 
   2813 /*******************************************************************************
   2814  *
   2815  * Function         l2cu_send_peer_ble_credit_based_conn_req
   2816  *
   2817  * Description      Build and send a BLE packet to establish LE connection
   2818  *                  oriented L2CAP channel.
   2819  *
   2820  * Returns          void
   2821  *
   2822  ******************************************************************************/
   2823 void l2cu_send_peer_ble_credit_based_conn_req(tL2C_CCB* p_ccb) {
   2824   BT_HDR* p_buf;
   2825   uint8_t* p;
   2826   tL2C_LCB* p_lcb = NULL;
   2827   uint16_t mtu;
   2828   uint16_t mps;
   2829   uint16_t initial_credit;
   2830 
   2831   if (!p_ccb) return;
   2832   p_lcb = p_ccb->p_lcb;
   2833 
   2834   /* Create an identifier for this packet */
   2835   p_ccb->p_lcb->id++;
   2836   l2cu_adj_id(p_ccb->p_lcb, L2CAP_ADJ_ID);
   2837 
   2838   p_ccb->local_id = p_ccb->p_lcb->id;
   2839 
   2840   p_buf = l2cu_build_header(p_lcb, L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ_LEN,
   2841                             L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ, p_lcb->id);
   2842   if (p_buf == NULL) {
   2843     L2CAP_TRACE_WARNING("l2cu_send_peer_ble_credit_based_conn_req - no buffer");
   2844     return;
   2845   }
   2846 
   2847   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
   2848       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
   2849 
   2850   mtu = p_ccb->local_conn_cfg.mtu;
   2851   mps = p_ccb->local_conn_cfg.mps;
   2852   initial_credit = p_ccb->local_conn_cfg.credits;
   2853 
   2854   L2CAP_TRACE_DEBUG(
   2855       "l2cu_send_peer_ble_credit_based_conn_req PSM:0x%04x local_cid:%d\
   2856                 mtu:%d mps:%d initial_credit:%d",
   2857       p_ccb->p_rcb->real_psm, p_ccb->local_cid, mtu, mps, initial_credit);
   2858 
   2859   UINT16_TO_STREAM(p, p_ccb->p_rcb->real_psm);
   2860   UINT16_TO_STREAM(p, p_ccb->local_cid);
   2861   UINT16_TO_STREAM(p, mtu);
   2862   UINT16_TO_STREAM(p, mps);
   2863   UINT16_TO_STREAM(p, initial_credit);
   2864 
   2865   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
   2866 }
   2867 
   2868 /*******************************************************************************
   2869  *
   2870  * Function         l2cu_reject_ble_connection
   2871  *
   2872  * Description      Build and send an L2CAP "Credit based connection res"
   2873  *                  message to the peer. This function is called for non-success
   2874  *                  cases.
   2875  *
   2876  * Returns          void
   2877  *
   2878  ******************************************************************************/
   2879 void l2cu_reject_ble_connection(tL2C_LCB* p_lcb, uint8_t rem_id,
   2880                                 uint16_t result) {
   2881   BT_HDR* p_buf;
   2882   uint8_t* p;
   2883 
   2884   p_buf = l2cu_build_header(p_lcb, L2CAP_CMD_BLE_CREDIT_BASED_CONN_RES_LEN,
   2885                             L2CAP_CMD_BLE_CREDIT_BASED_CONN_RES, rem_id);
   2886   if (p_buf == NULL) {
   2887     L2CAP_TRACE_WARNING("l2cu_reject_ble_connection - no buffer");
   2888     return;
   2889   }
   2890 
   2891   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
   2892       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
   2893 
   2894   UINT16_TO_STREAM(p, 0); /* Local CID of 0   */
   2895   UINT16_TO_STREAM(p, 0); /* MTU */
   2896   UINT16_TO_STREAM(p, 0); /* MPS */
   2897   UINT16_TO_STREAM(p, 0); /* initial credit */
   2898   UINT16_TO_STREAM(p, result);
   2899 
   2900   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
   2901 }
   2902 
   2903 /*******************************************************************************
   2904  *
   2905  * Function         l2cu_send_peer_ble_credit_based_conn_res
   2906  *
   2907  * Description      Build and send an L2CAP "Credit based connection res"
   2908  *                  message to the peer. This function is called in case of
   2909  *                  success.
   2910  *
   2911  * Returns          void
   2912  *
   2913  ******************************************************************************/
   2914 void l2cu_send_peer_ble_credit_based_conn_res(tL2C_CCB* p_ccb,
   2915                                               uint16_t result) {
   2916   BT_HDR* p_buf;
   2917   uint8_t* p;
   2918 
   2919   L2CAP_TRACE_DEBUG("l2cu_send_peer_ble_credit_based_conn_res");
   2920   p_buf =
   2921       l2cu_build_header(p_ccb->p_lcb, L2CAP_CMD_BLE_CREDIT_BASED_CONN_RES_LEN,
   2922                         L2CAP_CMD_BLE_CREDIT_BASED_CONN_RES, p_ccb->remote_id);
   2923   if (p_buf == NULL) {
   2924     L2CAP_TRACE_WARNING("l2cu_send_peer_ble_credit_based_conn_res - no buffer");
   2925     return;
   2926   }
   2927 
   2928   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
   2929       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
   2930 
   2931   UINT16_TO_STREAM(p, p_ccb->local_cid);              /* Local CID */
   2932   UINT16_TO_STREAM(p, p_ccb->local_conn_cfg.mtu);     /* MTU */
   2933   UINT16_TO_STREAM(p, p_ccb->local_conn_cfg.mps);     /* MPS */
   2934   UINT16_TO_STREAM(p, p_ccb->local_conn_cfg.credits); /* initial credit */
   2935   UINT16_TO_STREAM(p, result);
   2936 
   2937   l2c_link_check_send_pkts(p_ccb->p_lcb, NULL, p_buf);
   2938 }
   2939 
   2940 /*******************************************************************************
   2941  *
   2942  * Function         l2cu_send_peer_ble_flow_control_credit
   2943  *
   2944  * Description      Build and send a BLE packet to give credits to peer device
   2945  *                  for LE connection oriented L2CAP channel.
   2946  *
   2947  * Returns          void
   2948  *
   2949  ******************************************************************************/
   2950 void l2cu_send_peer_ble_flow_control_credit(tL2C_CCB* p_ccb,
   2951                                             uint16_t credit_value) {
   2952   BT_HDR* p_buf;
   2953   uint8_t* p;
   2954   tL2C_LCB* p_lcb = NULL;
   2955 
   2956   if (!p_ccb) return;
   2957   p_lcb = p_ccb->p_lcb;
   2958 
   2959   /* Create an identifier for this packet */
   2960   p_ccb->p_lcb->id++;
   2961   l2cu_adj_id(p_ccb->p_lcb, L2CAP_ADJ_ID);
   2962 
   2963   p_ccb->local_id = p_ccb->p_lcb->id;
   2964 
   2965   p_buf = l2cu_build_header(p_lcb, L2CAP_CMD_BLE_FLOW_CTRL_CREDIT_LEN,
   2966                             L2CAP_CMD_BLE_FLOW_CTRL_CREDIT, p_lcb->id);
   2967   if (p_buf == NULL) {
   2968     L2CAP_TRACE_WARNING("l2cu_send_peer_ble_credit_based_conn_req - no buffer");
   2969     return;
   2970   }
   2971 
   2972   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
   2973       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
   2974 
   2975   UINT16_TO_STREAM(p, p_ccb->local_cid);
   2976   UINT16_TO_STREAM(p, credit_value);
   2977 
   2978   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
   2979 }
   2980 
   2981 /*******************************************************************************
   2982  *
   2983  * Function         l2cu_send_peer_ble_credit_based_conn_req
   2984  *
   2985  * Description      Build and send a BLE packet to disconnect LE connection
   2986  *                  oriented L2CAP channel.
   2987  *
   2988  * Returns          void
   2989  *
   2990  ******************************************************************************/
   2991 void l2cu_send_peer_ble_credit_based_disconn_req(tL2C_CCB* p_ccb) {
   2992   BT_HDR* p_buf;
   2993   uint8_t* p;
   2994   tL2C_LCB* p_lcb = NULL;
   2995   L2CAP_TRACE_DEBUG("%s", __func__);
   2996 
   2997   if (!p_ccb) return;
   2998   p_lcb = p_ccb->p_lcb;
   2999 
   3000   /* Create an identifier for this packet */
   3001   p_ccb->p_lcb->id++;
   3002   l2cu_adj_id(p_ccb->p_lcb, L2CAP_ADJ_ID);
   3003 
   3004   p_ccb->local_id = p_ccb->p_lcb->id;
   3005   p_buf = l2cu_build_header(p_lcb, L2CAP_DISC_REQ_LEN, L2CAP_CMD_DISC_REQ,
   3006                             p_lcb->id);
   3007   if (p_buf == NULL) {
   3008     L2CAP_TRACE_WARNING(
   3009         "l2cu_send_peer_ble_credit_based_disconn_req - no buffer");
   3010     return;
   3011   }
   3012 
   3013   p = (uint8_t*)(p_buf + 1) + L2CAP_SEND_CMD_OFFSET + HCI_DATA_PREAMBLE_SIZE +
   3014       L2CAP_PKT_OVERHEAD + L2CAP_CMD_OVERHEAD;
   3015 
   3016   UINT16_TO_STREAM(p, p_ccb->remote_cid);
   3017   UINT16_TO_STREAM(p, p_ccb->local_cid);
   3018 
   3019   l2c_link_check_send_pkts(p_lcb, NULL, p_buf);
   3020 }
   3021 
   3022 /*******************************************************************************
   3023  * Functions used by both Full and Light Stack
   3024  ******************************************************************************/
   3025 
   3026 /*******************************************************************************
   3027  *
   3028  * Function         l2cu_find_lcb_by_handle
   3029  *
   3030  * Description      Look through all active LCBs for a match based on the
   3031  *                  HCI handle.
   3032  *
   3033  * Returns          pointer to matched LCB, or NULL if no match
   3034  *
   3035  ******************************************************************************/
   3036 tL2C_LCB* l2cu_find_lcb_by_handle(uint16_t handle) {
   3037   int xx;
   3038   tL2C_LCB* p_lcb = &l2cb.lcb_pool[0];
   3039 
   3040   for (xx = 0; xx < MAX_L2CAP_LINKS; xx++, p_lcb++) {
   3041     if ((p_lcb->in_use) && (p_lcb->handle == handle)) {
   3042       return (p_lcb);
   3043     }
   3044   }
   3045 
   3046   /* If here, no match found */
   3047   return (NULL);
   3048 }
   3049 
   3050 /*******************************************************************************
   3051  *
   3052  * Function         l2cu_find_ccb_by_cid
   3053  *
   3054  * Description      Look through all active CCBs on a link for a match based
   3055  *                  on the local CID. If passed the link pointer is NULL, all
   3056  *                  active links are searched.
   3057  *
   3058  * Returns          pointer to matched CCB, or NULL if no match
   3059  *
   3060  ******************************************************************************/
   3061 tL2C_CCB* l2cu_find_ccb_by_cid(tL2C_LCB* p_lcb, uint16_t local_cid) {
   3062   tL2C_CCB* p_ccb = NULL;
   3063 #if (L2CAP_UCD_INCLUDED == TRUE)
   3064   uint8_t xx;
   3065 #endif
   3066 
   3067   if (local_cid >= L2CAP_BASE_APPL_CID) {
   3068     /* find the associated CCB by "index" */
   3069     local_cid -= L2CAP_BASE_APPL_CID;
   3070 
   3071     if (local_cid >= MAX_L2CAP_CHANNELS) return NULL;
   3072 
   3073     p_ccb = l2cb.ccb_pool + local_cid;
   3074 
   3075     /* make sure the CCB is in use */
   3076     if (!p_ccb->in_use) {
   3077       p_ccb = NULL;
   3078     }
   3079     /* make sure it's for the same LCB */
   3080     else if (p_lcb && p_lcb != p_ccb->p_lcb) {
   3081       p_ccb = NULL;
   3082     }
   3083   }
   3084 #if (L2CAP_UCD_INCLUDED == TRUE)
   3085   else {
   3086     /* searching fixed channel */
   3087     p_ccb = l2cb.ccb_pool;
   3088     for (xx = 0; xx < MAX_L2CAP_CHANNELS; xx++) {
   3089       if ((p_ccb->local_cid == local_cid) && (p_ccb->in_use) &&
   3090           (p_lcb == p_ccb->p_lcb))
   3091         break;
   3092       else
   3093         p_ccb++;
   3094     }
   3095     if (xx >= MAX_L2CAP_CHANNELS) return NULL;
   3096   }
   3097 #endif
   3098 
   3099   return (p_ccb);
   3100 }
   3101 
   3102 #if (L2CAP_ROUND_ROBIN_CHANNEL_SERVICE == TRUE)
   3103 
   3104 /******************************************************************************
   3105  *
   3106  * Function         l2cu_get_next_channel_in_rr
   3107  *
   3108  * Description      get the next channel to send on a link. It also adjusts the
   3109  *                  CCB queue to do a basic priority and round-robin scheduling.
   3110  *
   3111  * Returns          pointer to CCB or NULL
   3112  *
   3113  ******************************************************************************/
   3114 static tL2C_CCB* l2cu_get_next_channel_in_rr(tL2C_LCB* p_lcb) {
   3115   tL2C_CCB* p_serve_ccb = NULL;
   3116   tL2C_CCB* p_ccb;
   3117 
   3118   int i, j;
   3119 
   3120   /* scan all of priority until finding a channel to serve */
   3121   for (i = 0; (i < L2CAP_NUM_CHNL_PRIORITY) && (!p_serve_ccb); i++) {
   3122     /* scan all channel within serving priority group until finding a channel to
   3123      * serve */
   3124     for (j = 0; (j < p_lcb->rr_serv[p_lcb->rr_pri].num_ccb) && (!p_serve_ccb);
   3125          j++) {
   3126       /* scaning from next serving channel */
   3127       p_ccb = p_lcb->rr_serv[p_lcb->rr_pri].p_serve_ccb;
   3128 
   3129       if (!p_ccb) {
   3130         L2CAP_TRACE_ERROR("p_serve_ccb is NULL, rr_pri=%d", p_lcb->rr_pri);
   3131         return NULL;
   3132       }
   3133 
   3134       L2CAP_TRACE_DEBUG("RR scan pri=%d, lcid=0x%04x, q_cout=%d",
   3135                         p_ccb->ccb_priority, p_ccb->local_cid,
   3136                         fixed_queue_length(p_ccb->xmit_hold_q));
   3137 
   3138       /* store the next serving channel */
   3139       /* this channel is the last channel of its priority group */
   3140       if ((p_ccb->p_next_ccb == NULL) ||
   3141           (p_ccb->p_next_ccb->ccb_priority != p_ccb->ccb_priority)) {
   3142         /* next serving channel is set to the first channel in the group */
   3143         p_lcb->rr_serv[p_lcb->rr_pri].p_serve_ccb =
   3144             p_lcb->rr_serv[p_lcb->rr_pri].p_first_ccb;
   3145       } else {
   3146         /* next serving channel is set to the next channel in the group */
   3147         p_lcb->rr_serv[p_lcb->rr_pri].p_serve_ccb = p_ccb->p_next_ccb;
   3148       }
   3149 
   3150       if (p_ccb->chnl_state != CST_OPEN) continue;
   3151 
   3152       if (p_ccb->p_lcb->transport == BT_TRANSPORT_LE) {
   3153         L2CAP_TRACE_DEBUG("%s : Connection oriented channel", __func__);
   3154         if (fixed_queue_is_empty(p_ccb->xmit_hold_q)) continue;
   3155 
   3156       } else {
   3157         /* eL2CAP option in use */
   3158         if (p_ccb->peer_cfg.fcr.mode != L2CAP_FCR_BASIC_MODE) {
   3159           if (p_ccb->fcrb.wait_ack || p_ccb->fcrb.remote_busy) continue;
   3160 
   3161           if (fixed_queue_is_empty(p_ccb->fcrb.retrans_q)) {
   3162             if (fixed_queue_is_empty(p_ccb->xmit_hold_q)) continue;
   3163 
   3164             /* If in eRTM mode, check for window closure */
   3165             if ((p_ccb->peer_cfg.fcr.mode == L2CAP_FCR_ERTM_MODE) &&
   3166                 (l2c_fcr_is_flow_controlled(p_ccb)))
   3167               continue;
   3168           }
   3169         } else {
   3170           if (fixed_queue_is_empty(p_ccb->xmit_hold_q)) continue;
   3171         }
   3172       }
   3173 
   3174       /* found a channel to serve */
   3175       p_serve_ccb = p_ccb;
   3176       /* decrease quota of its priority group */
   3177       p_lcb->rr_serv[p_lcb->rr_pri].quota--;
   3178     }
   3179 
   3180     /* if there is no more quota of the priority group or no channel to have
   3181      * data to send */
   3182     if ((p_lcb->rr_serv[p_lcb->rr_pri].quota == 0) || (!p_serve_ccb)) {
   3183       /* serve next priority group */
   3184       p_lcb->rr_pri = (p_lcb->rr_pri + 1) % L2CAP_NUM_CHNL_PRIORITY;
   3185       /* initialize its quota */
   3186       p_lcb->rr_serv[p_lcb->rr_pri].quota =
   3187           L2CAP_GET_PRIORITY_QUOTA(p_lcb->rr_pri);
   3188     }
   3189   }
   3190 
   3191   if (p_serve_ccb) {
   3192     L2CAP_TRACE_DEBUG("RR service pri=%d, quota=%d, lcid=0x%04x",
   3193                       p_serve_ccb->ccb_priority,
   3194                       p_lcb->rr_serv[p_serve_ccb->ccb_priority].quota,
   3195                       p_serve_ccb->local_cid);
   3196   }
   3197 
   3198   return p_serve_ccb;
   3199 }
   3200 
   3201 #else  /* (L2CAP_ROUND_ROBIN_CHANNEL_SERVICE == TRUE) */
   3202 
   3203 /******************************************************************************
   3204  *
   3205  * Function         l2cu_get_next_channel
   3206  *
   3207  * Description      get the next channel to send on a link bassed on priority
   3208  *                  scheduling.
   3209  *
   3210  * Returns          pointer to CCB or NULL
   3211  *
   3212  ******************************************************************************/
   3213 static tL2C_CCB* l2cu_get_next_channel(tL2C_LCB* p_lcb) {
   3214   tL2C_CCB* p_ccb;
   3215 
   3216   /* Get the first CCB with data to send.
   3217   */
   3218   for (p_ccb = p_lcb->ccb_queue.p_first_ccb; p_ccb; p_ccb = p_ccb->p_next_ccb) {
   3219     if (p_ccb->chnl_state != CST_OPEN) continue;
   3220 
   3221     if (p_ccb->fcrb.wait_ack || p_ccb->fcrb.remote_busy) continue;
   3222 
   3223     if (!fixed_queue_is_empty(p_ccb->fcrb.retrans_q)) return p_ccb;
   3224 
   3225     if (fixed_queue_is_empty(p_ccb->xmit_hold_q)) continue;
   3226 
   3227     /* If in eRTM mode, check for window closure */
   3228     if ((p_ccb->peer_cfg.fcr.mode == L2CAP_FCR_ERTM_MODE) &&
   3229         (l2c_fcr_is_flow_controlled(p_ccb)))
   3230       continue;
   3231 
   3232     /* If here, we found someone */
   3233     return p_ccb;
   3234   }
   3235 
   3236   return NULL;
   3237 }
   3238 #endif /* (L2CAP_ROUND_ROBIN_CHANNEL_SERVICE == TRUE) */
   3239 
   3240 void l2cu_tx_complete(tL2C_TX_COMPLETE_CB_INFO* p_cbi) {
   3241   if (p_cbi->cb != NULL) p_cbi->cb(p_cbi->local_cid, p_cbi->num_sdu);
   3242 }
   3243 
   3244 /******************************************************************************
   3245  *
   3246  * Function         l2cu_get_next_buffer_to_send
   3247  *
   3248  * Description      get the next buffer to send on a link. It also adjusts the
   3249  *                  CCB queue to do a basic priority and round-robin scheduling.
   3250  *
   3251  * Returns          pointer to buffer or NULL
   3252  *
   3253  ******************************************************************************/
   3254 BT_HDR* l2cu_get_next_buffer_to_send(tL2C_LCB* p_lcb,
   3255                                      tL2C_TX_COMPLETE_CB_INFO* p_cbi) {
   3256   tL2C_CCB* p_ccb;
   3257   BT_HDR* p_buf;
   3258 
   3259 /* Highest priority are fixed channels */
   3260 #if (L2CAP_NUM_FIXED_CHNLS > 0)
   3261   int xx;
   3262 
   3263   p_cbi->cb = NULL;
   3264 
   3265   for (xx = 0; xx < L2CAP_NUM_FIXED_CHNLS; xx++) {
   3266     p_ccb = p_lcb->p_fixed_ccbs[xx];
   3267     if (p_ccb == NULL) continue;
   3268 
   3269     /* eL2CAP option in use */
   3270     if (p_ccb->peer_cfg.fcr.mode != L2CAP_FCR_BASIC_MODE) {
   3271       if (p_ccb->fcrb.wait_ack || p_ccb->fcrb.remote_busy) continue;
   3272 
   3273       /* No more checks needed if sending from the reatransmit queue */
   3274       if (fixed_queue_is_empty(p_ccb->fcrb.retrans_q)) {
   3275         if (fixed_queue_is_empty(p_ccb->xmit_hold_q)) continue;
   3276 
   3277         /* If in eRTM mode, check for window closure */
   3278         if ((p_ccb->peer_cfg.fcr.mode == L2CAP_FCR_ERTM_MODE) &&
   3279             (l2c_fcr_is_flow_controlled(p_ccb)))
   3280           continue;
   3281       }
   3282 
   3283       p_buf = l2c_fcr_get_next_xmit_sdu_seg(p_ccb, 0);
   3284       if (p_buf != NULL) {
   3285         l2cu_check_channel_congestion(p_ccb);
   3286         l2cu_set_acl_hci_header(p_buf, p_ccb);
   3287         return (p_buf);
   3288       }
   3289     } else {
   3290       if (!fixed_queue_is_empty(p_ccb->xmit_hold_q)) {
   3291         p_buf = (BT_HDR*)fixed_queue_try_dequeue(p_ccb->xmit_hold_q);
   3292         if (NULL == p_buf) {
   3293           L2CAP_TRACE_ERROR("%s: No data to be sent", __func__);
   3294           return (NULL);
   3295         }
   3296 
   3297         /* Prepare callback info for TX completion */
   3298         p_cbi->cb = l2cb.fixed_reg[xx].pL2CA_FixedTxComplete_Cb;
   3299         p_cbi->local_cid = p_ccb->local_cid;
   3300         p_cbi->num_sdu = 1;
   3301 
   3302         l2cu_check_channel_congestion(p_ccb);
   3303         l2cu_set_acl_hci_header(p_buf, p_ccb);
   3304         return (p_buf);
   3305       }
   3306     }
   3307   }
   3308 #endif
   3309 
   3310 #if (L2CAP_ROUND_ROBIN_CHANNEL_SERVICE == TRUE)
   3311   /* get next serving channel in round-robin */
   3312   p_ccb = l2cu_get_next_channel_in_rr(p_lcb);
   3313 #else
   3314   p_ccb = l2cu_get_next_channel(p_lcb);
   3315 #endif
   3316 
   3317   /* Return if no buffer */
   3318   if (p_ccb == NULL) return (NULL);
   3319 
   3320   if (p_ccb->p_lcb->transport == BT_TRANSPORT_LE) {
   3321     /* Check credits */
   3322     if (p_ccb->peer_conn_cfg.credits == 0) {
   3323       L2CAP_TRACE_DEBUG("%s No credits to send packets", __func__);
   3324       return NULL;
   3325     }
   3326     p_buf = l2c_lcc_get_next_xmit_sdu_seg(p_ccb, 0);
   3327     if (p_buf == NULL) return (NULL);
   3328 
   3329     p_ccb->peer_conn_cfg.credits--;
   3330   } else {
   3331     if (p_ccb->peer_cfg.fcr.mode != L2CAP_FCR_BASIC_MODE) {
   3332       p_buf = l2c_fcr_get_next_xmit_sdu_seg(p_ccb, 0);
   3333       if (p_buf == NULL) return (NULL);
   3334     } else {
   3335       p_buf = (BT_HDR*)fixed_queue_try_dequeue(p_ccb->xmit_hold_q);
   3336       if (NULL == p_buf) {
   3337         L2CAP_TRACE_ERROR("l2cu_get_buffer_to_send() #2: No data to be sent");
   3338         return (NULL);
   3339       }
   3340     }
   3341   }
   3342 
   3343   if (p_ccb->p_rcb && p_ccb->p_rcb->api.pL2CA_TxComplete_Cb &&
   3344       (p_ccb->peer_cfg.fcr.mode != L2CAP_FCR_ERTM_MODE))
   3345     (*p_ccb->p_rcb->api.pL2CA_TxComplete_Cb)(p_ccb->local_cid, 1);
   3346 
   3347   l2cu_check_channel_congestion(p_ccb);
   3348 
   3349   l2cu_set_acl_hci_header(p_buf, p_ccb);
   3350 
   3351   return (p_buf);
   3352 }
   3353 
   3354 /******************************************************************************
   3355  *
   3356  * Function         l2cu_set_acl_hci_header
   3357  *
   3358  * Description      Set HCI handle for ACL packet
   3359  *
   3360  * Returns          None
   3361  *
   3362  ******************************************************************************/
   3363 void l2cu_set_acl_hci_header(BT_HDR* p_buf, tL2C_CCB* p_ccb) {
   3364   uint8_t* p;
   3365 
   3366   /* Set the pointer to the beginning of the data minus 4 bytes for the packet
   3367    * header */
   3368   p = (uint8_t*)(p_buf + 1) + p_buf->offset - HCI_DATA_PREAMBLE_SIZE;
   3369 
   3370   if (p_ccb->p_lcb->transport == BT_TRANSPORT_LE) {
   3371     UINT16_TO_STREAM(p, p_ccb->p_lcb->handle | (L2CAP_PKT_START_NON_FLUSHABLE
   3372                                                 << L2CAP_PKT_TYPE_SHIFT));
   3373 
   3374     uint16_t acl_data_size =
   3375         controller_get_interface()->get_acl_data_size_ble();
   3376     /* The HCI transport will segment the buffers. */
   3377     if (p_buf->len > acl_data_size) {
   3378       UINT16_TO_STREAM(p, acl_data_size);
   3379     } else {
   3380       UINT16_TO_STREAM(p, p_buf->len);
   3381     }
   3382   } else {
   3383 #if (L2CAP_NON_FLUSHABLE_PB_INCLUDED == TRUE)
   3384     if ((((p_buf->layer_specific & L2CAP_FLUSHABLE_MASK) ==
   3385           L2CAP_FLUSHABLE_CH_BASED) &&
   3386          (p_ccb->is_flushable)) ||
   3387         ((p_buf->layer_specific & L2CAP_FLUSHABLE_MASK) ==
   3388          L2CAP_FLUSHABLE_PKT)) {
   3389       UINT16_TO_STREAM(
   3390           p, p_ccb->p_lcb->handle | (L2CAP_PKT_START << L2CAP_PKT_TYPE_SHIFT));
   3391     } else {
   3392       UINT16_TO_STREAM(p, p_ccb->p_lcb->handle | l2cb.non_flushable_pbf);
   3393     }
   3394 #else
   3395     UINT16_TO_STREAM(
   3396         p, p_ccb->p_lcb->handle | (L2CAP_PKT_START << L2CAP_PKT_TYPE_SHIFT));
   3397 #endif
   3398 
   3399     uint16_t acl_data_size =
   3400         controller_get_interface()->get_acl_data_size_classic();
   3401     /* The HCI transport will segment the buffers. */
   3402     if (p_buf->len > acl_data_size) {
   3403       UINT16_TO_STREAM(p, acl_data_size);
   3404     } else {
   3405       UINT16_TO_STREAM(p, p_buf->len);
   3406     }
   3407   }
   3408   p_buf->offset -= HCI_DATA_PREAMBLE_SIZE;
   3409   p_buf->len += HCI_DATA_PREAMBLE_SIZE;
   3410 }
   3411 
   3412 /******************************************************************************
   3413  *
   3414  * Function         l2cu_check_channel_congestion
   3415  *
   3416  * Description      check if any change in congestion status
   3417  *
   3418  * Returns          None
   3419  *
   3420  ******************************************************************************/
   3421 void l2cu_check_channel_congestion(tL2C_CCB* p_ccb) {
   3422   size_t q_count = fixed_queue_length(p_ccb->xmit_hold_q);
   3423 
   3424 #if (L2CAP_UCD_INCLUDED == TRUE)
   3425   if (p_ccb->local_cid == L2CAP_CONNECTIONLESS_CID) {
   3426     q_count += fixed_queue_length(p_ccb->p_lcb->ucd_out_sec_pending_q);
   3427   }
   3428 #endif
   3429   /* If the CCB queue limit is subject to a quota, check for congestion */
   3430   /* if this channel has outgoing traffic */
   3431   if (p_ccb->buff_quota != 0) {
   3432     /* If this channel was congested */
   3433     if (p_ccb->cong_sent) {
   3434       /* If the channel is not congested now, tell the app */
   3435       if (q_count <= (p_ccb->buff_quota / 2)) {
   3436         p_ccb->cong_sent = false;
   3437         if (p_ccb->p_rcb && p_ccb->p_rcb->api.pL2CA_CongestionStatus_Cb) {
   3438           L2CAP_TRACE_DEBUG(
   3439               "L2CAP - Calling CongestionStatus_Cb (false), CID: 0x%04x  "
   3440               "xmit_hold_q.count: %u  buff_quota: %u",
   3441               p_ccb->local_cid, q_count, p_ccb->buff_quota);
   3442 
   3443           /* Prevent recursive calling */
   3444           l2cb.is_cong_cback_context = true;
   3445           (*p_ccb->p_rcb->api.pL2CA_CongestionStatus_Cb)(p_ccb->local_cid,
   3446                                                          false);
   3447           l2cb.is_cong_cback_context = false;
   3448         }
   3449 #if (L2CAP_UCD_INCLUDED == TRUE)
   3450         else if (p_ccb->p_rcb && p_ccb->local_cid == L2CAP_CONNECTIONLESS_CID) {
   3451           if (p_ccb->p_rcb->ucd.cb_info.pL2CA_UCD_Congestion_Status_Cb) {
   3452             L2CAP_TRACE_DEBUG(
   3453                 "L2CAP - Calling UCD CongestionStatus_Cb (false), "
   3454                 "SecPendingQ:%u,XmitQ:%u,Quota:%u",
   3455                 fixed_queue_length(p_ccb->p_lcb->ucd_out_sec_pending_q),
   3456                 fixed_queue_length(p_ccb->xmit_hold_q), p_ccb->buff_quota);
   3457             p_ccb->p_rcb->ucd.cb_info.pL2CA_UCD_Congestion_Status_Cb(
   3458                 p_ccb->p_lcb->remote_bd_addr, false);
   3459           }
   3460         }
   3461 #endif
   3462 #if (L2CAP_NUM_FIXED_CHNLS > 0)
   3463         else {
   3464           uint8_t xx;
   3465           for (xx = 0; xx < L2CAP_NUM_FIXED_CHNLS; xx++) {
   3466             if (p_ccb->p_lcb->p_fixed_ccbs[xx] == p_ccb) {
   3467               if (l2cb.fixed_reg[xx].pL2CA_FixedCong_Cb != NULL)
   3468                 (*l2cb.fixed_reg[xx].pL2CA_FixedCong_Cb)(
   3469                     p_ccb->p_lcb->remote_bd_addr, false);
   3470               break;
   3471             }
   3472           }
   3473         }
   3474 #endif
   3475       }
   3476     } else {
   3477       /* If this channel was not congested but it is congested now, tell the app
   3478        */
   3479       if (q_count > p_ccb->buff_quota) {
   3480         p_ccb->cong_sent = true;
   3481         if (p_ccb->p_rcb && p_ccb->p_rcb->api.pL2CA_CongestionStatus_Cb) {
   3482           L2CAP_TRACE_DEBUG(
   3483               "L2CAP - Calling CongestionStatus_Cb "
   3484               "(true),CID:0x%04x,XmitQ:%u,Quota:%u",
   3485               p_ccb->local_cid, q_count, p_ccb->buff_quota);
   3486 
   3487           (*p_ccb->p_rcb->api.pL2CA_CongestionStatus_Cb)(p_ccb->local_cid,
   3488                                                          true);
   3489         }
   3490 #if (L2CAP_UCD_INCLUDED == TRUE)
   3491         else if (p_ccb->p_rcb && p_ccb->local_cid == L2CAP_CONNECTIONLESS_CID) {
   3492           if (p_ccb->p_rcb->ucd.cb_info.pL2CA_UCD_Congestion_Status_Cb) {
   3493             L2CAP_TRACE_DEBUG(
   3494                 "L2CAP - Calling UCD CongestionStatus_Cb (true), "
   3495                 "SecPendingQ:%u,XmitQ:%u,Quota:%u",
   3496                 fixed_queue_length(p_ccb->p_lcb->ucd_out_sec_pending_q),
   3497                 fixed_queue_length(p_ccb->xmit_hold_q), p_ccb->buff_quota);
   3498             p_ccb->p_rcb->ucd.cb_info.pL2CA_UCD_Congestion_Status_Cb(
   3499                 p_ccb->p_lcb->remote_bd_addr, true);
   3500           }
   3501         }
   3502 #endif
   3503 #if (L2CAP_NUM_FIXED_CHNLS > 0)
   3504         else {
   3505           uint8_t xx;
   3506           for (xx = 0; xx < L2CAP_NUM_FIXED_CHNLS; xx++) {
   3507             if (p_ccb->p_lcb->p_fixed_ccbs[xx] == p_ccb) {
   3508               if (l2cb.fixed_reg[xx].pL2CA_FixedCong_Cb != NULL)
   3509                 (*l2cb.fixed_reg[xx].pL2CA_FixedCong_Cb)(
   3510                     p_ccb->p_lcb->remote_bd_addr, true);
   3511               break;
   3512             }
   3513           }
   3514         }
   3515 #endif
   3516       }
   3517     }
   3518   }
   3519 }
   3520 
   3521 /*******************************************************************************
   3522  *
   3523  * Function         l2cu_is_ccb_active
   3524  *
   3525  * Description      Check if Channel Control Block is in use or released
   3526  *
   3527  * Returns          bool    - true if Channel Control Block is in use
   3528  *                            false if p_ccb is null or is released.
   3529  *
   3530  ******************************************************************************/
   3531 bool l2cu_is_ccb_active(tL2C_CCB* p_ccb) { return (p_ccb && p_ccb->in_use); }
   3532