~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/bluetooth/rfcomm/core.c

Version: ~ [ linux-5.4-rc3 ] ~ [ linux-5.3.6 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.79 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.149 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.196 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.196 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.75 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
  3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
  4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
  5 
  6    This program is free software; you can redistribute it and/or modify
  7    it under the terms of the GNU General Public License version 2 as
  8    published by the Free Software Foundation;
  9 
 10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
 13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
 14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
 15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 18 
 19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
 20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
 21    SOFTWARE IS DISCLAIMED.
 22 */
 23 
 24 /*
 25  * Bluetooth RFCOMM core.
 26  */
 27 
 28 #include <linux/module.h>
 29 #include <linux/debugfs.h>
 30 #include <linux/kthread.h>
 31 #include <asm/unaligned.h>
 32 
 33 #include <net/bluetooth/bluetooth.h>
 34 #include <net/bluetooth/hci_core.h>
 35 #include <net/bluetooth/l2cap.h>
 36 #include <net/bluetooth/rfcomm.h>
 37 
 38 #define VERSION "1.11"
 39 
 40 static bool disable_cfc;
 41 static bool l2cap_ertm;
 42 static int channel_mtu = -1;
 43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
 44 
 45 static struct task_struct *rfcomm_thread;
 46 
 47 static DEFINE_MUTEX(rfcomm_mutex);
 48 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
 49 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
 50 
 51 
 52 static LIST_HEAD(session_list);
 53 
 54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
 55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
 56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
 57 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
 58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
 59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
 60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
 61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
 62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
 63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
 64 
 65 static void rfcomm_process_connect(struct rfcomm_session *s);
 66 
 67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
 68                                                         bdaddr_t *dst,
 69                                                         u8 sec_level,
 70                                                         int *err);
 71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
 72 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
 73 
 74 /* ---- RFCOMM frame parsing macros ---- */
 75 #define __get_dlci(b)     ((b & 0xfc) >> 2)
 76 #define __get_channel(b)  ((b & 0xf8) >> 3)
 77 #define __get_dir(b)      ((b & 0x04) >> 2)
 78 #define __get_type(b)     ((b & 0xef))
 79 
 80 #define __test_ea(b)      ((b & 0x01))
 81 #define __test_cr(b)      ((b & 0x02))
 82 #define __test_pf(b)      ((b & 0x10))
 83 
 84 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
 85 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
 86 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
 87 #define __srv_channel(dlci)    (dlci >> 1)
 88 #define __dir(dlci)            (dlci & 0x01)
 89 
 90 #define __len8(len)       (((len) << 1) | 1)
 91 #define __len16(len)      ((len) << 1)
 92 
 93 /* MCC macros */
 94 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
 95 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
 96 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
 97 
 98 /* RPN macros */
 99 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
100 #define __get_rpn_data_bits(line) ((line) & 0x3)
101 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
102 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
103 
104 static void rfcomm_schedule(void)
105 {
106         if (!rfcomm_thread)
107                 return;
108         wake_up_process(rfcomm_thread);
109 }
110 
111 /* ---- RFCOMM FCS computation ---- */
112 
113 /* reversed, 8-bit, poly=0x07 */
114 static unsigned char rfcomm_crc_table[256] = {
115         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
116         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
117         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
118         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
119 
120         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
121         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
122         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
123         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
124 
125         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
126         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
127         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
128         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
129 
130         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
131         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
132         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
133         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
134 
135         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
136         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
137         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
138         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
139 
140         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
141         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
142         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
143         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
144 
145         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
146         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
147         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
148         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
149 
150         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
151         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
152         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
153         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
154 };
155 
156 /* CRC on 2 bytes */
157 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
158 
159 /* FCS on 2 bytes */
160 static inline u8 __fcs(u8 *data)
161 {
162         return 0xff - __crc(data);
163 }
164 
165 /* FCS on 3 bytes */
166 static inline u8 __fcs2(u8 *data)
167 {
168         return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
169 }
170 
171 /* Check FCS */
172 static inline int __check_fcs(u8 *data, int type, u8 fcs)
173 {
174         u8 f = __crc(data);
175 
176         if (type != RFCOMM_UIH)
177                 f = rfcomm_crc_table[f ^ data[2]];
178 
179         return rfcomm_crc_table[f ^ fcs] != 0xcf;
180 }
181 
182 /* ---- L2CAP callbacks ---- */
183 static void rfcomm_l2state_change(struct sock *sk)
184 {
185         BT_DBG("%p state %d", sk, sk->sk_state);
186         rfcomm_schedule();
187 }
188 
189 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
190 {
191         BT_DBG("%p bytes %d", sk, bytes);
192         rfcomm_schedule();
193 }
194 
195 static int rfcomm_l2sock_create(struct socket **sock)
196 {
197         int err;
198 
199         BT_DBG("");
200 
201         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
202         if (!err) {
203                 struct sock *sk = (*sock)->sk;
204                 sk->sk_data_ready   = rfcomm_l2data_ready;
205                 sk->sk_state_change = rfcomm_l2state_change;
206         }
207         return err;
208 }
209 
210 static int rfcomm_check_security(struct rfcomm_dlc *d)
211 {
212         struct sock *sk = d->session->sock->sk;
213         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
214 
215         __u8 auth_type;
216 
217         switch (d->sec_level) {
218         case BT_SECURITY_HIGH:
219                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
220                 break;
221         case BT_SECURITY_MEDIUM:
222                 auth_type = HCI_AT_GENERAL_BONDING;
223                 break;
224         default:
225                 auth_type = HCI_AT_NO_BONDING;
226                 break;
227         }
228 
229         return hci_conn_security(conn->hcon, d->sec_level, auth_type);
230 }
231 
232 static void rfcomm_session_timeout(unsigned long arg)
233 {
234         struct rfcomm_session *s = (void *) arg;
235 
236         BT_DBG("session %p state %ld", s, s->state);
237 
238         set_bit(RFCOMM_TIMED_OUT, &s->flags);
239         rfcomm_schedule();
240 }
241 
242 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
243 {
244         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
245 
246         mod_timer(&s->timer, jiffies + timeout);
247 }
248 
249 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
250 {
251         BT_DBG("session %p state %ld", s, s->state);
252 
253         del_timer_sync(&s->timer);
254 }
255 
256 /* ---- RFCOMM DLCs ---- */
257 static void rfcomm_dlc_timeout(unsigned long arg)
258 {
259         struct rfcomm_dlc *d = (void *) arg;
260 
261         BT_DBG("dlc %p state %ld", d, d->state);
262 
263         set_bit(RFCOMM_TIMED_OUT, &d->flags);
264         rfcomm_dlc_put(d);
265         rfcomm_schedule();
266 }
267 
268 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
269 {
270         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
271 
272         if (!mod_timer(&d->timer, jiffies + timeout))
273                 rfcomm_dlc_hold(d);
274 }
275 
276 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
277 {
278         BT_DBG("dlc %p state %ld", d, d->state);
279 
280         if (del_timer(&d->timer))
281                 rfcomm_dlc_put(d);
282 }
283 
284 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
285 {
286         BT_DBG("%p", d);
287 
288         d->state      = BT_OPEN;
289         d->flags      = 0;
290         d->mscex      = 0;
291         d->sec_level  = BT_SECURITY_LOW;
292         d->mtu        = RFCOMM_DEFAULT_MTU;
293         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
294 
295         d->cfc        = RFCOMM_CFC_DISABLED;
296         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
297 }
298 
299 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
300 {
301         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
302 
303         if (!d)
304                 return NULL;
305 
306         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
307 
308         skb_queue_head_init(&d->tx_queue);
309         spin_lock_init(&d->lock);
310         atomic_set(&d->refcnt, 1);
311 
312         rfcomm_dlc_clear_state(d);
313 
314         BT_DBG("%p", d);
315 
316         return d;
317 }
318 
319 void rfcomm_dlc_free(struct rfcomm_dlc *d)
320 {
321         BT_DBG("%p", d);
322 
323         skb_queue_purge(&d->tx_queue);
324         kfree(d);
325 }
326 
327 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
328 {
329         BT_DBG("dlc %p session %p", d, s);
330 
331         rfcomm_session_clear_timer(s);
332         rfcomm_dlc_hold(d);
333         list_add(&d->list, &s->dlcs);
334         d->session = s;
335 }
336 
337 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
338 {
339         struct rfcomm_session *s = d->session;
340 
341         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
342 
343         list_del(&d->list);
344         d->session = NULL;
345         rfcomm_dlc_put(d);
346 
347         if (list_empty(&s->dlcs))
348                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
349 }
350 
351 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
352 {
353         struct rfcomm_dlc *d;
354 
355         list_for_each_entry(d, &s->dlcs, list)
356                 if (d->dlci == dlci)
357                         return d;
358 
359         return NULL;
360 }
361 
362 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
363 {
364         struct rfcomm_session *s;
365         int err = 0;
366         u8 dlci;
367 
368         BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
369                d, d->state, src, dst, channel);
370 
371         if (channel < 1 || channel > 30)
372                 return -EINVAL;
373 
374         if (d->state != BT_OPEN && d->state != BT_CLOSED)
375                 return 0;
376 
377         s = rfcomm_session_get(src, dst);
378         if (!s) {
379                 s = rfcomm_session_create(src, dst, d->sec_level, &err);
380                 if (!s)
381                         return err;
382         }
383 
384         dlci = __dlci(!s->initiator, channel);
385 
386         /* Check if DLCI already exists */
387         if (rfcomm_dlc_get(s, dlci))
388                 return -EBUSY;
389 
390         rfcomm_dlc_clear_state(d);
391 
392         d->dlci     = dlci;
393         d->addr     = __addr(s->initiator, dlci);
394         d->priority = 7;
395 
396         d->state = BT_CONFIG;
397         rfcomm_dlc_link(s, d);
398 
399         d->out = 1;
400 
401         d->mtu = s->mtu;
402         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
403 
404         if (s->state == BT_CONNECTED) {
405                 if (rfcomm_check_security(d))
406                         rfcomm_send_pn(s, 1, d);
407                 else
408                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
409         }
410 
411         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
412 
413         return 0;
414 }
415 
416 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
417 {
418         int r;
419 
420         rfcomm_lock();
421 
422         r = __rfcomm_dlc_open(d, src, dst, channel);
423 
424         rfcomm_unlock();
425         return r;
426 }
427 
428 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
429 {
430         struct rfcomm_session *s = d->session;
431         if (!s)
432                 return 0;
433 
434         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
435                         d, d->state, d->dlci, err, s);
436 
437         switch (d->state) {
438         case BT_CONNECT:
439         case BT_CONFIG:
440                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
441                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
442                         rfcomm_schedule();
443                         break;
444                 }
445                 /* Fall through */
446 
447         case BT_CONNECTED:
448                 d->state = BT_DISCONN;
449                 if (skb_queue_empty(&d->tx_queue)) {
450                         rfcomm_send_disc(s, d->dlci);
451                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
452                 } else {
453                         rfcomm_queue_disc(d);
454                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
455                 }
456                 break;
457 
458         case BT_OPEN:
459         case BT_CONNECT2:
460                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
461                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
462                         rfcomm_schedule();
463                         break;
464                 }
465                 /* Fall through */
466 
467         default:
468                 rfcomm_dlc_clear_timer(d);
469 
470                 rfcomm_dlc_lock(d);
471                 d->state = BT_CLOSED;
472                 d->state_change(d, err);
473                 rfcomm_dlc_unlock(d);
474 
475                 skb_queue_purge(&d->tx_queue);
476                 rfcomm_dlc_unlink(d);
477         }
478 
479         return 0;
480 }
481 
482 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
483 {
484         int r = 0;
485         struct rfcomm_dlc *d_list;
486         struct rfcomm_session *s, *s_list;
487 
488         BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
489 
490         rfcomm_lock();
491 
492         s = d->session;
493         if (!s)
494                 goto no_session;
495 
496         /* after waiting on the mutex check the session still exists
497          * then check the dlc still exists
498          */
499         list_for_each_entry(s_list, &session_list, list) {
500                 if (s_list == s) {
501                         list_for_each_entry(d_list, &s->dlcs, list) {
502                                 if (d_list == d) {
503                                         r = __rfcomm_dlc_close(d, err);
504                                         break;
505                                 }
506                         }
507                         break;
508                 }
509         }
510 
511 no_session:
512         rfcomm_unlock();
513         return r;
514 }
515 
516 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
517 {
518         int len = skb->len;
519 
520         if (d->state != BT_CONNECTED)
521                 return -ENOTCONN;
522 
523         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
524 
525         if (len > d->mtu)
526                 return -EINVAL;
527 
528         rfcomm_make_uih(skb, d->addr);
529         skb_queue_tail(&d->tx_queue, skb);
530 
531         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
532                 rfcomm_schedule();
533         return len;
534 }
535 
536 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
537 {
538         BT_DBG("dlc %p state %ld", d, d->state);
539 
540         if (!d->cfc) {
541                 d->v24_sig |= RFCOMM_V24_FC;
542                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
543         }
544         rfcomm_schedule();
545 }
546 
547 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
548 {
549         BT_DBG("dlc %p state %ld", d, d->state);
550 
551         if (!d->cfc) {
552                 d->v24_sig &= ~RFCOMM_V24_FC;
553                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
554         }
555         rfcomm_schedule();
556 }
557 
558 /*
559    Set/get modem status functions use _local_ status i.e. what we report
560    to the other side.
561    Remote status is provided by dlc->modem_status() callback.
562  */
563 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
564 {
565         BT_DBG("dlc %p state %ld v24_sig 0x%x",
566                         d, d->state, v24_sig);
567 
568         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
569                 v24_sig |= RFCOMM_V24_FC;
570         else
571                 v24_sig &= ~RFCOMM_V24_FC;
572 
573         d->v24_sig = v24_sig;
574 
575         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
576                 rfcomm_schedule();
577 
578         return 0;
579 }
580 
581 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
582 {
583         BT_DBG("dlc %p state %ld v24_sig 0x%x",
584                         d, d->state, d->v24_sig);
585 
586         *v24_sig = d->v24_sig;
587         return 0;
588 }
589 
590 /* ---- RFCOMM sessions ---- */
591 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
592 {
593         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
594 
595         if (!s)
596                 return NULL;
597 
598         BT_DBG("session %p sock %p", s, sock);
599 
600         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
601 
602         INIT_LIST_HEAD(&s->dlcs);
603         s->state = state;
604         s->sock  = sock;
605 
606         s->mtu = RFCOMM_DEFAULT_MTU;
607         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
608 
609         /* Do not increment module usage count for listening sessions.
610          * Otherwise we won't be able to unload the module. */
611         if (state != BT_LISTEN)
612                 if (!try_module_get(THIS_MODULE)) {
613                         kfree(s);
614                         return NULL;
615                 }
616 
617         list_add(&s->list, &session_list);
618 
619         return s;
620 }
621 
622 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
623 {
624         int state = s->state;
625 
626         BT_DBG("session %p state %ld", s, s->state);
627 
628         list_del(&s->list);
629 
630         rfcomm_session_clear_timer(s);
631         sock_release(s->sock);
632         kfree(s);
633 
634         if (state != BT_LISTEN)
635                 module_put(THIS_MODULE);
636 
637         return NULL;
638 }
639 
640 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
641 {
642         struct rfcomm_session *s;
643         struct list_head *p, *n;
644         struct bt_sock *sk;
645         list_for_each_safe(p, n, &session_list) {
646                 s = list_entry(p, struct rfcomm_session, list);
647                 sk = bt_sk(s->sock->sk);
648 
649                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
650                                 !bacmp(&sk->dst, dst))
651                         return s;
652         }
653         return NULL;
654 }
655 
656 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
657                                                    int err)
658 {
659         struct rfcomm_dlc *d;
660         struct list_head *p, *n;
661 
662         s->state = BT_CLOSED;
663 
664         BT_DBG("session %p state %ld err %d", s, s->state, err);
665 
666         /* Close all dlcs */
667         list_for_each_safe(p, n, &s->dlcs) {
668                 d = list_entry(p, struct rfcomm_dlc, list);
669                 d->state = BT_CLOSED;
670                 __rfcomm_dlc_close(d, err);
671         }
672 
673         rfcomm_session_clear_timer(s);
674         return rfcomm_session_del(s);
675 }
676 
677 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
678                                                         bdaddr_t *dst,
679                                                         u8 sec_level,
680                                                         int *err)
681 {
682         struct rfcomm_session *s = NULL;
683         struct sockaddr_l2 addr;
684         struct socket *sock;
685         struct sock *sk;
686 
687         BT_DBG("%pMR -> %pMR", src, dst);
688 
689         *err = rfcomm_l2sock_create(&sock);
690         if (*err < 0)
691                 return NULL;
692 
693         bacpy(&addr.l2_bdaddr, src);
694         addr.l2_family = AF_BLUETOOTH;
695         addr.l2_psm    = 0;
696         addr.l2_cid    = 0;
697         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
698         if (*err < 0)
699                 goto failed;
700 
701         /* Set L2CAP options */
702         sk = sock->sk;
703         lock_sock(sk);
704         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
705         l2cap_pi(sk)->chan->sec_level = sec_level;
706         if (l2cap_ertm)
707                 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
708         release_sock(sk);
709 
710         s = rfcomm_session_add(sock, BT_BOUND);
711         if (!s) {
712                 *err = -ENOMEM;
713                 goto failed;
714         }
715 
716         s->initiator = 1;
717 
718         bacpy(&addr.l2_bdaddr, dst);
719         addr.l2_family = AF_BLUETOOTH;
720         addr.l2_psm    = __constant_cpu_to_le16(RFCOMM_PSM);
721         addr.l2_cid    = 0;
722         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
723         if (*err == 0 || *err == -EINPROGRESS)
724                 return s;
725 
726         return rfcomm_session_del(s);
727 
728 failed:
729         sock_release(sock);
730         return NULL;
731 }
732 
733 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
734 {
735         struct sock *sk = s->sock->sk;
736         if (src)
737                 bacpy(src, &bt_sk(sk)->src);
738         if (dst)
739                 bacpy(dst, &bt_sk(sk)->dst);
740 }
741 
742 /* ---- RFCOMM frame sending ---- */
743 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
744 {
745         struct kvec iv = { data, len };
746         struct msghdr msg;
747 
748         BT_DBG("session %p len %d", s, len);
749 
750         memset(&msg, 0, sizeof(msg));
751 
752         return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
753 }
754 
755 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
756 {
757         BT_DBG("%p cmd %u", s, cmd->ctrl);
758 
759         return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
760 }
761 
762 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
763 {
764         struct rfcomm_cmd cmd;
765 
766         BT_DBG("%p dlci %d", s, dlci);
767 
768         cmd.addr = __addr(s->initiator, dlci);
769         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
770         cmd.len  = __len8(0);
771         cmd.fcs  = __fcs2((u8 *) &cmd);
772 
773         return rfcomm_send_cmd(s, &cmd);
774 }
775 
776 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
777 {
778         struct rfcomm_cmd cmd;
779 
780         BT_DBG("%p dlci %d", s, dlci);
781 
782         cmd.addr = __addr(!s->initiator, dlci);
783         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
784         cmd.len  = __len8(0);
785         cmd.fcs  = __fcs2((u8 *) &cmd);
786 
787         return rfcomm_send_cmd(s, &cmd);
788 }
789 
790 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
791 {
792         struct rfcomm_cmd cmd;
793 
794         BT_DBG("%p dlci %d", s, dlci);
795 
796         cmd.addr = __addr(s->initiator, dlci);
797         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
798         cmd.len  = __len8(0);
799         cmd.fcs  = __fcs2((u8 *) &cmd);
800 
801         return rfcomm_send_cmd(s, &cmd);
802 }
803 
804 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
805 {
806         struct rfcomm_cmd *cmd;
807         struct sk_buff *skb;
808 
809         BT_DBG("dlc %p dlci %d", d, d->dlci);
810 
811         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
812         if (!skb)
813                 return -ENOMEM;
814 
815         cmd = (void *) __skb_put(skb, sizeof(*cmd));
816         cmd->addr = d->addr;
817         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
818         cmd->len  = __len8(0);
819         cmd->fcs  = __fcs2((u8 *) cmd);
820 
821         skb_queue_tail(&d->tx_queue, skb);
822         rfcomm_schedule();
823         return 0;
824 }
825 
826 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
827 {
828         struct rfcomm_cmd cmd;
829 
830         BT_DBG("%p dlci %d", s, dlci);
831 
832         cmd.addr = __addr(!s->initiator, dlci);
833         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
834         cmd.len  = __len8(0);
835         cmd.fcs  = __fcs2((u8 *) &cmd);
836 
837         return rfcomm_send_cmd(s, &cmd);
838 }
839 
840 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
841 {
842         struct rfcomm_hdr *hdr;
843         struct rfcomm_mcc *mcc;
844         u8 buf[16], *ptr = buf;
845 
846         BT_DBG("%p cr %d type %d", s, cr, type);
847 
848         hdr = (void *) ptr; ptr += sizeof(*hdr);
849         hdr->addr = __addr(s->initiator, 0);
850         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
851         hdr->len  = __len8(sizeof(*mcc) + 1);
852 
853         mcc = (void *) ptr; ptr += sizeof(*mcc);
854         mcc->type = __mcc_type(cr, RFCOMM_NSC);
855         mcc->len  = __len8(1);
856 
857         /* Type that we didn't like */
858         *ptr = __mcc_type(cr, type); ptr++;
859 
860         *ptr = __fcs(buf); ptr++;
861 
862         return rfcomm_send_frame(s, buf, ptr - buf);
863 }
864 
865 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
866 {
867         struct rfcomm_hdr *hdr;
868         struct rfcomm_mcc *mcc;
869         struct rfcomm_pn  *pn;
870         u8 buf[16], *ptr = buf;
871 
872         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
873 
874         hdr = (void *) ptr; ptr += sizeof(*hdr);
875         hdr->addr = __addr(s->initiator, 0);
876         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
877         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
878 
879         mcc = (void *) ptr; ptr += sizeof(*mcc);
880         mcc->type = __mcc_type(cr, RFCOMM_PN);
881         mcc->len  = __len8(sizeof(*pn));
882 
883         pn = (void *) ptr; ptr += sizeof(*pn);
884         pn->dlci        = d->dlci;
885         pn->priority    = d->priority;
886         pn->ack_timer   = 0;
887         pn->max_retrans = 0;
888 
889         if (s->cfc) {
890                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
891                 pn->credits = RFCOMM_DEFAULT_CREDITS;
892         } else {
893                 pn->flow_ctrl = 0;
894                 pn->credits   = 0;
895         }
896 
897         if (cr && channel_mtu >= 0)
898                 pn->mtu = cpu_to_le16(channel_mtu);
899         else
900                 pn->mtu = cpu_to_le16(d->mtu);
901 
902         *ptr = __fcs(buf); ptr++;
903 
904         return rfcomm_send_frame(s, buf, ptr - buf);
905 }
906 
907 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
908                         u8 bit_rate, u8 data_bits, u8 stop_bits,
909                         u8 parity, u8 flow_ctrl_settings,
910                         u8 xon_char, u8 xoff_char, u16 param_mask)
911 {
912         struct rfcomm_hdr *hdr;
913         struct rfcomm_mcc *mcc;
914         struct rfcomm_rpn *rpn;
915         u8 buf[16], *ptr = buf;
916 
917         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
918                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
919                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
920                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
921 
922         hdr = (void *) ptr; ptr += sizeof(*hdr);
923         hdr->addr = __addr(s->initiator, 0);
924         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
925         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
926 
927         mcc = (void *) ptr; ptr += sizeof(*mcc);
928         mcc->type = __mcc_type(cr, RFCOMM_RPN);
929         mcc->len  = __len8(sizeof(*rpn));
930 
931         rpn = (void *) ptr; ptr += sizeof(*rpn);
932         rpn->dlci          = __addr(1, dlci);
933         rpn->bit_rate      = bit_rate;
934         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
935         rpn->flow_ctrl     = flow_ctrl_settings;
936         rpn->xon_char      = xon_char;
937         rpn->xoff_char     = xoff_char;
938         rpn->param_mask    = cpu_to_le16(param_mask);
939 
940         *ptr = __fcs(buf); ptr++;
941 
942         return rfcomm_send_frame(s, buf, ptr - buf);
943 }
944 
945 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
946 {
947         struct rfcomm_hdr *hdr;
948         struct rfcomm_mcc *mcc;
949         struct rfcomm_rls *rls;
950         u8 buf[16], *ptr = buf;
951 
952         BT_DBG("%p cr %d status 0x%x", s, cr, status);
953 
954         hdr = (void *) ptr; ptr += sizeof(*hdr);
955         hdr->addr = __addr(s->initiator, 0);
956         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
957         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
958 
959         mcc = (void *) ptr; ptr += sizeof(*mcc);
960         mcc->type = __mcc_type(cr, RFCOMM_RLS);
961         mcc->len  = __len8(sizeof(*rls));
962 
963         rls = (void *) ptr; ptr += sizeof(*rls);
964         rls->dlci   = __addr(1, dlci);
965         rls->status = status;
966 
967         *ptr = __fcs(buf); ptr++;
968 
969         return rfcomm_send_frame(s, buf, ptr - buf);
970 }
971 
972 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
973 {
974         struct rfcomm_hdr *hdr;
975         struct rfcomm_mcc *mcc;
976         struct rfcomm_msc *msc;
977         u8 buf[16], *ptr = buf;
978 
979         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
980 
981         hdr = (void *) ptr; ptr += sizeof(*hdr);
982         hdr->addr = __addr(s->initiator, 0);
983         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
984         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
985 
986         mcc = (void *) ptr; ptr += sizeof(*mcc);
987         mcc->type = __mcc_type(cr, RFCOMM_MSC);
988         mcc->len  = __len8(sizeof(*msc));
989 
990         msc = (void *) ptr; ptr += sizeof(*msc);
991         msc->dlci    = __addr(1, dlci);
992         msc->v24_sig = v24_sig | 0x01;
993 
994         *ptr = __fcs(buf); ptr++;
995 
996         return rfcomm_send_frame(s, buf, ptr - buf);
997 }
998 
999 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1000 {
1001         struct rfcomm_hdr *hdr;
1002         struct rfcomm_mcc *mcc;
1003         u8 buf[16], *ptr = buf;
1004 
1005         BT_DBG("%p cr %d", s, cr);
1006 
1007         hdr = (void *) ptr; ptr += sizeof(*hdr);
1008         hdr->addr = __addr(s->initiator, 0);
1009         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1010         hdr->len  = __len8(sizeof(*mcc));
1011 
1012         mcc = (void *) ptr; ptr += sizeof(*mcc);
1013         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1014         mcc->len  = __len8(0);
1015 
1016         *ptr = __fcs(buf); ptr++;
1017 
1018         return rfcomm_send_frame(s, buf, ptr - buf);
1019 }
1020 
1021 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1022 {
1023         struct rfcomm_hdr *hdr;
1024         struct rfcomm_mcc *mcc;
1025         u8 buf[16], *ptr = buf;
1026 
1027         BT_DBG("%p cr %d", s, cr);
1028 
1029         hdr = (void *) ptr; ptr += sizeof(*hdr);
1030         hdr->addr = __addr(s->initiator, 0);
1031         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1032         hdr->len  = __len8(sizeof(*mcc));
1033 
1034         mcc = (void *) ptr; ptr += sizeof(*mcc);
1035         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1036         mcc->len  = __len8(0);
1037 
1038         *ptr = __fcs(buf); ptr++;
1039 
1040         return rfcomm_send_frame(s, buf, ptr - buf);
1041 }
1042 
1043 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1044 {
1045         struct socket *sock = s->sock;
1046         struct kvec iv[3];
1047         struct msghdr msg;
1048         unsigned char hdr[5], crc[1];
1049 
1050         if (len > 125)
1051                 return -EINVAL;
1052 
1053         BT_DBG("%p cr %d", s, cr);
1054 
1055         hdr[0] = __addr(s->initiator, 0);
1056         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1057         hdr[2] = 0x01 | ((len + 2) << 1);
1058         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1059         hdr[4] = 0x01 | (len << 1);
1060 
1061         crc[0] = __fcs(hdr);
1062 
1063         iv[0].iov_base = hdr;
1064         iv[0].iov_len  = 5;
1065         iv[1].iov_base = pattern;
1066         iv[1].iov_len  = len;
1067         iv[2].iov_base = crc;
1068         iv[2].iov_len  = 1;
1069 
1070         memset(&msg, 0, sizeof(msg));
1071 
1072         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1073 }
1074 
1075 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1076 {
1077         struct rfcomm_hdr *hdr;
1078         u8 buf[16], *ptr = buf;
1079 
1080         BT_DBG("%p addr %d credits %d", s, addr, credits);
1081 
1082         hdr = (void *) ptr; ptr += sizeof(*hdr);
1083         hdr->addr = addr;
1084         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1085         hdr->len  = __len8(0);
1086 
1087         *ptr = credits; ptr++;
1088 
1089         *ptr = __fcs(buf); ptr++;
1090 
1091         return rfcomm_send_frame(s, buf, ptr - buf);
1092 }
1093 
1094 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1095 {
1096         struct rfcomm_hdr *hdr;
1097         int len = skb->len;
1098         u8 *crc;
1099 
1100         if (len > 127) {
1101                 hdr = (void *) skb_push(skb, 4);
1102                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1103         } else {
1104                 hdr = (void *) skb_push(skb, 3);
1105                 hdr->len = __len8(len);
1106         }
1107         hdr->addr = addr;
1108         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1109 
1110         crc = skb_put(skb, 1);
1111         *crc = __fcs((void *) hdr);
1112 }
1113 
1114 /* ---- RFCOMM frame reception ---- */
1115 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1116 {
1117         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1118 
1119         if (dlci) {
1120                 /* Data channel */
1121                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1122                 if (!d) {
1123                         rfcomm_send_dm(s, dlci);
1124                         return s;
1125                 }
1126 
1127                 switch (d->state) {
1128                 case BT_CONNECT:
1129                         rfcomm_dlc_clear_timer(d);
1130 
1131                         rfcomm_dlc_lock(d);
1132                         d->state = BT_CONNECTED;
1133                         d->state_change(d, 0);
1134                         rfcomm_dlc_unlock(d);
1135 
1136                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1137                         break;
1138 
1139                 case BT_DISCONN:
1140                         d->state = BT_CLOSED;
1141                         __rfcomm_dlc_close(d, 0);
1142 
1143                         if (list_empty(&s->dlcs)) {
1144                                 s->state = BT_DISCONN;
1145                                 rfcomm_send_disc(s, 0);
1146                                 rfcomm_session_clear_timer(s);
1147                         }
1148 
1149                         break;
1150                 }
1151         } else {
1152                 /* Control channel */
1153                 switch (s->state) {
1154                 case BT_CONNECT:
1155                         s->state = BT_CONNECTED;
1156                         rfcomm_process_connect(s);
1157                         break;
1158 
1159                 case BT_DISCONN:
1160                         s = rfcomm_session_close(s, ECONNRESET);
1161                         break;
1162                 }
1163         }
1164         return s;
1165 }
1166 
1167 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1168 {
1169         int err = 0;
1170 
1171         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1172 
1173         if (dlci) {
1174                 /* Data DLC */
1175                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1176                 if (d) {
1177                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1178                                 err = ECONNREFUSED;
1179                         else
1180                                 err = ECONNRESET;
1181 
1182                         d->state = BT_CLOSED;
1183                         __rfcomm_dlc_close(d, err);
1184                 }
1185         } else {
1186                 if (s->state == BT_CONNECT)
1187                         err = ECONNREFUSED;
1188                 else
1189                         err = ECONNRESET;
1190 
1191                 s = rfcomm_session_close(s, err);
1192         }
1193         return s;
1194 }
1195 
1196 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1197                                                u8 dlci)
1198 {
1199         int err = 0;
1200 
1201         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1202 
1203         if (dlci) {
1204                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1205                 if (d) {
1206                         rfcomm_send_ua(s, dlci);
1207 
1208                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1209                                 err = ECONNREFUSED;
1210                         else
1211                                 err = ECONNRESET;
1212 
1213                         d->state = BT_CLOSED;
1214                         __rfcomm_dlc_close(d, err);
1215                 } else
1216                         rfcomm_send_dm(s, dlci);
1217 
1218         } else {
1219                 rfcomm_send_ua(s, 0);
1220 
1221                 if (s->state == BT_CONNECT)
1222                         err = ECONNREFUSED;
1223                 else
1224                         err = ECONNRESET;
1225 
1226                 s = rfcomm_session_close(s, err);
1227         }
1228         return s;
1229 }
1230 
1231 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1232 {
1233         struct sock *sk = d->session->sock->sk;
1234         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1235 
1236         BT_DBG("dlc %p", d);
1237 
1238         rfcomm_send_ua(d->session, d->dlci);
1239 
1240         rfcomm_dlc_clear_timer(d);
1241 
1242         rfcomm_dlc_lock(d);
1243         d->state = BT_CONNECTED;
1244         d->state_change(d, 0);
1245         rfcomm_dlc_unlock(d);
1246 
1247         if (d->role_switch)
1248                 hci_conn_switch_role(conn->hcon, 0x00);
1249 
1250         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1251 }
1252 
1253 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1254 {
1255         if (rfcomm_check_security(d)) {
1256                 if (d->defer_setup) {
1257                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1258                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1259 
1260                         rfcomm_dlc_lock(d);
1261                         d->state = BT_CONNECT2;
1262                         d->state_change(d, 0);
1263                         rfcomm_dlc_unlock(d);
1264                 } else
1265                         rfcomm_dlc_accept(d);
1266         } else {
1267                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1268                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1269         }
1270 }
1271 
1272 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1273 {
1274         struct rfcomm_dlc *d;
1275         u8 channel;
1276 
1277         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1278 
1279         if (!dlci) {
1280                 rfcomm_send_ua(s, 0);
1281 
1282                 if (s->state == BT_OPEN) {
1283                         s->state = BT_CONNECTED;
1284                         rfcomm_process_connect(s);
1285                 }
1286                 return 0;
1287         }
1288 
1289         /* Check if DLC exists */
1290         d = rfcomm_dlc_get(s, dlci);
1291         if (d) {
1292                 if (d->state == BT_OPEN) {
1293                         /* DLC was previously opened by PN request */
1294                         rfcomm_check_accept(d);
1295                 }
1296                 return 0;
1297         }
1298 
1299         /* Notify socket layer about incoming connection */
1300         channel = __srv_channel(dlci);
1301         if (rfcomm_connect_ind(s, channel, &d)) {
1302                 d->dlci = dlci;
1303                 d->addr = __addr(s->initiator, dlci);
1304                 rfcomm_dlc_link(s, d);
1305 
1306                 rfcomm_check_accept(d);
1307         } else {
1308                 rfcomm_send_dm(s, dlci);
1309         }
1310 
1311         return 0;
1312 }
1313 
1314 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1315 {
1316         struct rfcomm_session *s = d->session;
1317 
1318         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1319                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1320 
1321         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1322                                                 pn->flow_ctrl == 0xe0) {
1323                 d->cfc = RFCOMM_CFC_ENABLED;
1324                 d->tx_credits = pn->credits;
1325         } else {
1326                 d->cfc = RFCOMM_CFC_DISABLED;
1327                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1328         }
1329 
1330         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1331                 s->cfc = d->cfc;
1332 
1333         d->priority = pn->priority;
1334 
1335         d->mtu = __le16_to_cpu(pn->mtu);
1336 
1337         if (cr && d->mtu > s->mtu)
1338                 d->mtu = s->mtu;
1339 
1340         return 0;
1341 }
1342 
1343 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1344 {
1345         struct rfcomm_pn *pn = (void *) skb->data;
1346         struct rfcomm_dlc *d;
1347         u8 dlci = pn->dlci;
1348 
1349         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1350 
1351         if (!dlci)
1352                 return 0;
1353 
1354         d = rfcomm_dlc_get(s, dlci);
1355         if (d) {
1356                 if (cr) {
1357                         /* PN request */
1358                         rfcomm_apply_pn(d, cr, pn);
1359                         rfcomm_send_pn(s, 0, d);
1360                 } else {
1361                         /* PN response */
1362                         switch (d->state) {
1363                         case BT_CONFIG:
1364                                 rfcomm_apply_pn(d, cr, pn);
1365 
1366                                 d->state = BT_CONNECT;
1367                                 rfcomm_send_sabm(s, d->dlci);
1368                                 break;
1369                         }
1370                 }
1371         } else {
1372                 u8 channel = __srv_channel(dlci);
1373 
1374                 if (!cr)
1375                         return 0;
1376 
1377                 /* PN request for non existing DLC.
1378                  * Assume incoming connection. */
1379                 if (rfcomm_connect_ind(s, channel, &d)) {
1380                         d->dlci = dlci;
1381                         d->addr = __addr(s->initiator, dlci);
1382                         rfcomm_dlc_link(s, d);
1383 
1384                         rfcomm_apply_pn(d, cr, pn);
1385 
1386                         d->state = BT_OPEN;
1387                         rfcomm_send_pn(s, 0, d);
1388                 } else {
1389                         rfcomm_send_dm(s, dlci);
1390                 }
1391         }
1392         return 0;
1393 }
1394 
1395 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1396 {
1397         struct rfcomm_rpn *rpn = (void *) skb->data;
1398         u8 dlci = __get_dlci(rpn->dlci);
1399 
1400         u8 bit_rate  = 0;
1401         u8 data_bits = 0;
1402         u8 stop_bits = 0;
1403         u8 parity    = 0;
1404         u8 flow_ctrl = 0;
1405         u8 xon_char  = 0;
1406         u8 xoff_char = 0;
1407         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1408 
1409         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1410                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1411                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1412 
1413         if (!cr)
1414                 return 0;
1415 
1416         if (len == 1) {
1417                 /* This is a request, return default (according to ETSI TS 07.10) settings */
1418                 bit_rate  = RFCOMM_RPN_BR_9600;
1419                 data_bits = RFCOMM_RPN_DATA_8;
1420                 stop_bits = RFCOMM_RPN_STOP_1;
1421                 parity    = RFCOMM_RPN_PARITY_NONE;
1422                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1423                 xon_char  = RFCOMM_RPN_XON_CHAR;
1424                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1425                 goto rpn_out;
1426         }
1427 
1428         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1429          * no parity, no flow control lines, normal XON/XOFF chars */
1430 
1431         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1432                 bit_rate = rpn->bit_rate;
1433                 if (bit_rate > RFCOMM_RPN_BR_230400) {
1434                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1435                         bit_rate = RFCOMM_RPN_BR_9600;
1436                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1437                 }
1438         }
1439 
1440         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1441                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1442                 if (data_bits != RFCOMM_RPN_DATA_8) {
1443                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1444                         data_bits = RFCOMM_RPN_DATA_8;
1445                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1446                 }
1447         }
1448 
1449         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1450                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1451                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1452                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1453                         stop_bits = RFCOMM_RPN_STOP_1;
1454                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1455                 }
1456         }
1457 
1458         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1459                 parity = __get_rpn_parity(rpn->line_settings);
1460                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1461                         BT_DBG("RPN parity mismatch 0x%x", parity);
1462                         parity = RFCOMM_RPN_PARITY_NONE;
1463                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1464                 }
1465         }
1466 
1467         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1468                 flow_ctrl = rpn->flow_ctrl;
1469                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1470                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1471                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1472                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1473                 }
1474         }
1475 
1476         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1477                 xon_char = rpn->xon_char;
1478                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1479                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1480                         xon_char = RFCOMM_RPN_XON_CHAR;
1481                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1482                 }
1483         }
1484 
1485         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1486                 xoff_char = rpn->xoff_char;
1487                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1488                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1489                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1490                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1491                 }
1492         }
1493 
1494 rpn_out:
1495         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1496                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1497 
1498         return 0;
1499 }
1500 
1501 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1502 {
1503         struct rfcomm_rls *rls = (void *) skb->data;
1504         u8 dlci = __get_dlci(rls->dlci);
1505 
1506         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1507 
1508         if (!cr)
1509                 return 0;
1510 
1511         /* We should probably do something with this information here. But
1512          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1513          * mandatory to recognise and respond to RLS */
1514 
1515         rfcomm_send_rls(s, 0, dlci, rls->status);
1516 
1517         return 0;
1518 }
1519 
1520 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1521 {
1522         struct rfcomm_msc *msc = (void *) skb->data;
1523         struct rfcomm_dlc *d;
1524         u8 dlci = __get_dlci(msc->dlci);
1525 
1526         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1527 
1528         d = rfcomm_dlc_get(s, dlci);
1529         if (!d)
1530                 return 0;
1531 
1532         if (cr) {
1533                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1534                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1535                 else
1536                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1537 
1538                 rfcomm_dlc_lock(d);
1539 
1540                 d->remote_v24_sig = msc->v24_sig;
1541 
1542                 if (d->modem_status)
1543                         d->modem_status(d, msc->v24_sig);
1544 
1545                 rfcomm_dlc_unlock(d);
1546 
1547                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1548 
1549                 d->mscex |= RFCOMM_MSCEX_RX;
1550         } else
1551                 d->mscex |= RFCOMM_MSCEX_TX;
1552 
1553         return 0;
1554 }
1555 
1556 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1557 {
1558         struct rfcomm_mcc *mcc = (void *) skb->data;
1559         u8 type, cr, len;
1560 
1561         cr   = __test_cr(mcc->type);
1562         type = __get_mcc_type(mcc->type);
1563         len  = __get_mcc_len(mcc->len);
1564 
1565         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1566 
1567         skb_pull(skb, 2);
1568 
1569         switch (type) {
1570         case RFCOMM_PN:
1571                 rfcomm_recv_pn(s, cr, skb);
1572                 break;
1573 
1574         case RFCOMM_RPN:
1575                 rfcomm_recv_rpn(s, cr, len, skb);
1576                 break;
1577 
1578         case RFCOMM_RLS:
1579                 rfcomm_recv_rls(s, cr, skb);
1580                 break;
1581 
1582         case RFCOMM_MSC:
1583                 rfcomm_recv_msc(s, cr, skb);
1584                 break;
1585 
1586         case RFCOMM_FCOFF:
1587                 if (cr) {
1588                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1589                         rfcomm_send_fcoff(s, 0);
1590                 }
1591                 break;
1592 
1593         case RFCOMM_FCON:
1594                 if (cr) {
1595                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1596                         rfcomm_send_fcon(s, 0);
1597                 }
1598                 break;
1599 
1600         case RFCOMM_TEST:
1601                 if (cr)
1602                         rfcomm_send_test(s, 0, skb->data, skb->len);
1603                 break;
1604 
1605         case RFCOMM_NSC:
1606                 break;
1607 
1608         default:
1609                 BT_ERR("Unknown control type 0x%02x", type);
1610                 rfcomm_send_nsc(s, cr, type);
1611                 break;
1612         }
1613         return 0;
1614 }
1615 
1616 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1617 {
1618         struct rfcomm_dlc *d;
1619 
1620         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1621 
1622         d = rfcomm_dlc_get(s, dlci);
1623         if (!d) {
1624                 rfcomm_send_dm(s, dlci);
1625                 goto drop;
1626         }
1627 
1628         if (pf && d->cfc) {
1629                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1630 
1631                 d->tx_credits += credits;
1632                 if (d->tx_credits)
1633                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1634         }
1635 
1636         if (skb->len && d->state == BT_CONNECTED) {
1637                 rfcomm_dlc_lock(d);
1638                 d->rx_credits--;
1639                 d->data_ready(d, skb);
1640                 rfcomm_dlc_unlock(d);
1641                 return 0;
1642         }
1643 
1644 drop:
1645         kfree_skb(skb);
1646         return 0;
1647 }
1648 
1649 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1650                                                 struct sk_buff *skb)
1651 {
1652         struct rfcomm_hdr *hdr = (void *) skb->data;
1653         u8 type, dlci, fcs;
1654 
1655         if (!s) {
1656                 /* no session, so free socket data */
1657                 kfree_skb(skb);
1658                 return s;
1659         }
1660 
1661         dlci = __get_dlci(hdr->addr);
1662         type = __get_type(hdr->ctrl);
1663 
1664         /* Trim FCS */
1665         skb->len--; skb->tail--;
1666         fcs = *(u8 *)skb_tail_pointer(skb);
1667 
1668         if (__check_fcs(skb->data, type, fcs)) {
1669                 BT_ERR("bad checksum in packet");
1670                 kfree_skb(skb);
1671                 return s;
1672         }
1673 
1674         if (__test_ea(hdr->len))
1675                 skb_pull(skb, 3);
1676         else
1677                 skb_pull(skb, 4);
1678 
1679         switch (type) {
1680         case RFCOMM_SABM:
1681                 if (__test_pf(hdr->ctrl))
1682                         rfcomm_recv_sabm(s, dlci);
1683                 break;
1684 
1685         case RFCOMM_DISC:
1686                 if (__test_pf(hdr->ctrl))
1687                         s = rfcomm_recv_disc(s, dlci);
1688                 break;
1689 
1690         case RFCOMM_UA:
1691                 if (__test_pf(hdr->ctrl))
1692                         s = rfcomm_recv_ua(s, dlci);
1693                 break;
1694 
1695         case RFCOMM_DM:
1696                 s = rfcomm_recv_dm(s, dlci);
1697                 break;
1698 
1699         case RFCOMM_UIH:
1700                 if (dlci) {
1701                         rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1702                         return s;
1703                 }
1704                 rfcomm_recv_mcc(s, skb);
1705                 break;
1706 
1707         default:
1708                 BT_ERR("Unknown packet type 0x%02x", type);
1709                 break;
1710         }
1711         kfree_skb(skb);
1712         return s;
1713 }
1714 
1715 /* ---- Connection and data processing ---- */
1716 
1717 static void rfcomm_process_connect(struct rfcomm_session *s)
1718 {
1719         struct rfcomm_dlc *d;
1720         struct list_head *p, *n;
1721 
1722         BT_DBG("session %p state %ld", s, s->state);
1723 
1724         list_for_each_safe(p, n, &s->dlcs) {
1725                 d = list_entry(p, struct rfcomm_dlc, list);
1726                 if (d->state == BT_CONFIG) {
1727                         d->mtu = s->mtu;
1728                         if (rfcomm_check_security(d)) {
1729                                 rfcomm_send_pn(s, 1, d);
1730                         } else {
1731                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1732                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1733                         }
1734                 }
1735         }
1736 }
1737 
1738 /* Send data queued for the DLC.
1739  * Return number of frames left in the queue.
1740  */
1741 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1742 {
1743         struct sk_buff *skb;
1744         int err;
1745 
1746         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1747                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1748 
1749         /* Send pending MSC */
1750         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1751                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1752 
1753         if (d->cfc) {
1754                 /* CFC enabled.
1755                  * Give them some credits */
1756                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1757                                 d->rx_credits <= (d->cfc >> 2)) {
1758                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1759                         d->rx_credits = d->cfc;
1760                 }
1761         } else {
1762                 /* CFC disabled.
1763                  * Give ourselves some credits */
1764                 d->tx_credits = 5;
1765         }
1766 
1767         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1768                 return skb_queue_len(&d->tx_queue);
1769 
1770         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1771                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1772                 if (err < 0) {
1773                         skb_queue_head(&d->tx_queue, skb);
1774                         break;
1775                 }
1776                 kfree_skb(skb);
1777                 d->tx_credits--;
1778         }
1779 
1780         if (d->cfc && !d->tx_credits) {
1781                 /* We're out of TX credits.
1782                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1783                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1784         }
1785 
1786         return skb_queue_len(&d->tx_queue);
1787 }
1788 
1789 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1790 {
1791         struct rfcomm_dlc *d;
1792         struct list_head *p, *n;
1793 
1794         BT_DBG("session %p state %ld", s, s->state);
1795 
1796         list_for_each_safe(p, n, &s->dlcs) {
1797                 d = list_entry(p, struct rfcomm_dlc, list);
1798 
1799                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1800                         __rfcomm_dlc_close(d, ETIMEDOUT);
1801                         continue;
1802                 }
1803 
1804                 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1805                         __rfcomm_dlc_close(d, ECONNREFUSED);
1806                         continue;
1807                 }
1808 
1809                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1810                         rfcomm_dlc_clear_timer(d);
1811                         if (d->out) {
1812                                 rfcomm_send_pn(s, 1, d);
1813                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1814                         } else {
1815                                 if (d->defer_setup) {
1816                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1817                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1818 
1819                                         rfcomm_dlc_lock(d);
1820                                         d->state = BT_CONNECT2;
1821                                         d->state_change(d, 0);
1822                                         rfcomm_dlc_unlock(d);
1823                                 } else
1824                                         rfcomm_dlc_accept(d);
1825                         }
1826                         continue;
1827                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1828                         rfcomm_dlc_clear_timer(d);
1829                         if (!d->out)
1830                                 rfcomm_send_dm(s, d->dlci);
1831                         else
1832                                 d->state = BT_CLOSED;
1833                         __rfcomm_dlc_close(d, ECONNREFUSED);
1834                         continue;
1835                 }
1836 
1837                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1838                         continue;
1839 
1840                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1841                         continue;
1842 
1843                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1844                                                 d->mscex == RFCOMM_MSCEX_OK)
1845                         rfcomm_process_tx(d);
1846         }
1847 }
1848 
1849 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1850 {
1851         struct socket *sock = s->sock;
1852         struct sock *sk = sock->sk;
1853         struct sk_buff *skb;
1854 
1855         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1856 
1857         /* Get data directly from socket receive queue without copying it. */
1858         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1859                 skb_orphan(skb);
1860                 if (!skb_linearize(skb)) {
1861                         s = rfcomm_recv_frame(s, skb);
1862                         if (!s)
1863                                 break;
1864                 } else {
1865                         kfree_skb(skb);
1866                 }
1867         }
1868 
1869         if (s && (sk->sk_state == BT_CLOSED))
1870                 s = rfcomm_session_close(s, sk->sk_err);
1871 
1872         return s;
1873 }
1874 
1875 static void rfcomm_accept_connection(struct rfcomm_session *s)
1876 {
1877         struct socket *sock = s->sock, *nsock;
1878         int err;
1879 
1880         /* Fast check for a new connection.
1881          * Avoids unnesesary socket allocations. */
1882         if (list_empty(&bt_sk(sock->sk)->accept_q))
1883                 return;
1884 
1885         BT_DBG("session %p", s);
1886 
1887         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1888         if (err < 0)
1889                 return;
1890 
1891         /* Set our callbacks */
1892         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1893         nsock->sk->sk_state_change = rfcomm_l2state_change;
1894 
1895         s = rfcomm_session_add(nsock, BT_OPEN);
1896         if (s) {
1897                 /* We should adjust MTU on incoming sessions.
1898                  * L2CAP MTU minus UIH header and FCS. */
1899                 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1900                                 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1901 
1902                 rfcomm_schedule();
1903         } else
1904                 sock_release(nsock);
1905 }
1906 
1907 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1908 {
1909         struct sock *sk = s->sock->sk;
1910 
1911         BT_DBG("%p state %ld", s, s->state);
1912 
1913         switch (sk->sk_state) {
1914         case BT_CONNECTED:
1915                 s->state = BT_CONNECT;
1916 
1917                 /* We can adjust MTU on outgoing sessions.
1918                  * L2CAP MTU minus UIH header and FCS. */
1919                 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1920 
1921                 rfcomm_send_sabm(s, 0);
1922                 break;
1923 
1924         case BT_CLOSED:
1925                 s = rfcomm_session_close(s, sk->sk_err);
1926                 break;
1927         }
1928         return s;
1929 }
1930 
1931 static void rfcomm_process_sessions(void)
1932 {
1933         struct list_head *p, *n;
1934 
1935         rfcomm_lock();
1936 
1937         list_for_each_safe(p, n, &session_list) {
1938                 struct rfcomm_session *s;
1939                 s = list_entry(p, struct rfcomm_session, list);
1940 
1941                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1942                         s->state = BT_DISCONN;
1943                         rfcomm_send_disc(s, 0);
1944                         continue;
1945                 }
1946 
1947                 if (s->state == BT_LISTEN) {
1948                         rfcomm_accept_connection(s);
1949                         continue;
1950                 }
1951 
1952                 switch (s->state) {
1953                 case BT_BOUND:
1954                         s = rfcomm_check_connection(s);
1955                         break;
1956 
1957                 default:
1958                         s = rfcomm_process_rx(s);
1959                         break;
1960                 }
1961 
1962                 if (s)
1963                         rfcomm_process_dlcs(s);
1964         }
1965 
1966         rfcomm_unlock();
1967 }
1968 
1969 static int rfcomm_add_listener(bdaddr_t *ba)
1970 {
1971         struct sockaddr_l2 addr;
1972         struct socket *sock;
1973         struct sock *sk;
1974         struct rfcomm_session *s;
1975         int    err = 0;
1976 
1977         /* Create socket */
1978         err = rfcomm_l2sock_create(&sock);
1979         if (err < 0) {
1980                 BT_ERR("Create socket failed %d", err);
1981                 return err;
1982         }
1983 
1984         /* Bind socket */
1985         bacpy(&addr.l2_bdaddr, ba);
1986         addr.l2_family = AF_BLUETOOTH;
1987         addr.l2_psm    = __constant_cpu_to_le16(RFCOMM_PSM);
1988         addr.l2_cid    = 0;
1989         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1990         if (err < 0) {
1991                 BT_ERR("Bind failed %d", err);
1992                 goto failed;
1993         }
1994 
1995         /* Set L2CAP options */
1996         sk = sock->sk;
1997         lock_sock(sk);
1998         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
1999         release_sock(sk);
2000 
2001         /* Start listening on the socket */
2002         err = kernel_listen(sock, 10);
2003         if (err) {
2004                 BT_ERR("Listen failed %d", err);
2005                 goto failed;
2006         }
2007 
2008         /* Add listening session */
2009         s = rfcomm_session_add(sock, BT_LISTEN);
2010         if (!s) {
2011                 err = -ENOMEM;
2012                 goto failed;
2013         }
2014 
2015         return 0;
2016 failed:
2017         sock_release(sock);
2018         return err;
2019 }
2020 
2021 static void rfcomm_kill_listener(void)
2022 {
2023         struct rfcomm_session *s;
2024         struct list_head *p, *n;
2025 
2026         BT_DBG("");
2027 
2028         list_for_each_safe(p, n, &session_list) {
2029                 s = list_entry(p, struct rfcomm_session, list);
2030                 rfcomm_session_del(s);
2031         }
2032 }
2033 
2034 static int rfcomm_run(void *unused)
2035 {
2036         BT_DBG("");
2037 
2038         set_user_nice(current, -10);
2039 
2040         rfcomm_add_listener(BDADDR_ANY);
2041 
2042         while (1) {
2043                 set_current_state(TASK_INTERRUPTIBLE);
2044 
2045                 if (kthread_should_stop())
2046                         break;
2047 
2048                 /* Process stuff */
2049                 rfcomm_process_sessions();
2050 
2051                 schedule();
2052         }
2053         __set_current_state(TASK_RUNNING);
2054 
2055         rfcomm_kill_listener();
2056 
2057         return 0;
2058 }
2059 
2060 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2061 {
2062         struct rfcomm_session *s;
2063         struct rfcomm_dlc *d;
2064         struct list_head *p, *n;
2065 
2066         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2067 
2068         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2069         if (!s)
2070                 return;
2071 
2072         list_for_each_safe(p, n, &s->dlcs) {
2073                 d = list_entry(p, struct rfcomm_dlc, list);
2074 
2075                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2076                         rfcomm_dlc_clear_timer(d);
2077                         if (status || encrypt == 0x00) {
2078                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2079                                 continue;
2080                         }
2081                 }
2082 
2083                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2084                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2085                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2086                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2087                                 continue;
2088                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2089                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2090                                 continue;
2091                         }
2092                 }
2093 
2094                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2095                         continue;
2096 
2097                 if (!status && hci_conn_check_secure(conn, d->sec_level))
2098                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2099                 else
2100                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2101         }
2102 
2103         rfcomm_schedule();
2104 }
2105 
2106 static struct hci_cb rfcomm_cb = {
2107         .name           = "RFCOMM",
2108         .security_cfm   = rfcomm_security_cfm
2109 };
2110 
2111 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2112 {
2113         struct rfcomm_session *s;
2114 
2115         rfcomm_lock();
2116 
2117         list_for_each_entry(s, &session_list, list) {
2118                 struct rfcomm_dlc *d;
2119                 list_for_each_entry(d, &s->dlcs, list) {
2120                         struct sock *sk = s->sock->sk;
2121 
2122                         seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2123                                    &bt_sk(sk)->src, &bt_sk(sk)->dst,
2124                                    d->state, d->dlci, d->mtu,
2125                                    d->rx_credits, d->tx_credits);
2126                 }
2127         }
2128 
2129         rfcomm_unlock();
2130 
2131         return 0;
2132 }
2133 
2134 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2135 {
2136         return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2137 }
2138 
2139 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2140         .open           = rfcomm_dlc_debugfs_open,
2141         .read           = seq_read,
2142         .llseek         = seq_lseek,
2143         .release        = single_release,
2144 };
2145 
2146 static struct dentry *rfcomm_dlc_debugfs;
2147 
2148 /* ---- Initialization ---- */
2149 static int __init rfcomm_init(void)
2150 {
2151         int err;
2152 
2153         hci_register_cb(&rfcomm_cb);
2154 
2155         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2156         if (IS_ERR(rfcomm_thread)) {
2157                 err = PTR_ERR(rfcomm_thread);
2158                 goto unregister;
2159         }
2160 
2161         if (bt_debugfs) {
2162                 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2163                                 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2164                 if (!rfcomm_dlc_debugfs)
2165                         BT_ERR("Failed to create RFCOMM debug file");
2166         }
2167 
2168         err = rfcomm_init_ttys();
2169         if (err < 0)
2170                 goto stop;
2171 
2172         err = rfcomm_init_sockets();
2173         if (err < 0)
2174                 goto cleanup;
2175 
2176         BT_INFO("RFCOMM ver %s", VERSION);
2177 
2178         return 0;
2179 
2180 cleanup:
2181         rfcomm_cleanup_ttys();
2182 
2183 stop:
2184         kthread_stop(rfcomm_thread);
2185 
2186 unregister:
2187         hci_unregister_cb(&rfcomm_cb);
2188 
2189         return err;
2190 }
2191 
2192 static void __exit rfcomm_exit(void)
2193 {
2194         debugfs_remove(rfcomm_dlc_debugfs);
2195 
2196         hci_unregister_cb(&rfcomm_cb);
2197 
2198         kthread_stop(rfcomm_thread);
2199 
2200         rfcomm_cleanup_ttys();
2201 
2202         rfcomm_cleanup_sockets();
2203 }
2204 
2205 module_init(rfcomm_init);
2206 module_exit(rfcomm_exit);
2207 
2208 module_param(disable_cfc, bool, 0644);
2209 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2210 
2211 module_param(channel_mtu, int, 0644);
2212 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2213 
2214 module_param(l2cap_mtu, uint, 0644);
2215 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2216 
2217 module_param(l2cap_ertm, bool, 0644);
2218 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2219 
2220 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2221 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2222 MODULE_VERSION(VERSION);
2223 MODULE_LICENSE("GPL");
2224 MODULE_ALIAS("bt-proto-3");
2225 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp