~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/bluetooth/rfcomm/core.c

Version: ~ [ linux-5.6-rc1 ] ~ [ linux-5.5.2 ] ~ [ linux-5.4.17 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.102 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.170 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.213 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.213 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.81 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
  3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
  4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
  5 
  6    This program is free software; you can redistribute it and/or modify
  7    it under the terms of the GNU General Public License version 2 as
  8    published by the Free Software Foundation;
  9 
 10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
 13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
 14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
 15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 18 
 19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
 20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
 21    SOFTWARE IS DISCLAIMED.
 22 */
 23 
 24 /*
 25  * Bluetooth RFCOMM core.
 26  */
 27 
 28 #include <linux/module.h>
 29 #include <linux/debugfs.h>
 30 #include <linux/kthread.h>
 31 #include <asm/unaligned.h>
 32 
 33 #include <net/bluetooth/bluetooth.h>
 34 #include <net/bluetooth/hci_core.h>
 35 #include <net/bluetooth/l2cap.h>
 36 #include <net/bluetooth/rfcomm.h>
 37 
 38 #define VERSION "1.11"
 39 
 40 static bool disable_cfc;
 41 static bool l2cap_ertm;
 42 static int channel_mtu = -1;
 43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
 44 
 45 static struct task_struct *rfcomm_thread;
 46 
 47 static DEFINE_MUTEX(rfcomm_mutex);
 48 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
 49 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
 50 
 51 
 52 static LIST_HEAD(session_list);
 53 
 54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
 55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
 56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
 57 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
 58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
 59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
 60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
 61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
 62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
 63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
 64 
 65 static void rfcomm_process_connect(struct rfcomm_session *s);
 66 
 67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
 68                                                         bdaddr_t *dst,
 69                                                         u8 sec_level,
 70                                                         int *err);
 71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
 72 static void rfcomm_session_del(struct rfcomm_session *s);
 73 
 74 /* ---- RFCOMM frame parsing macros ---- */
 75 #define __get_dlci(b)     ((b & 0xfc) >> 2)
 76 #define __get_channel(b)  ((b & 0xf8) >> 3)
 77 #define __get_dir(b)      ((b & 0x04) >> 2)
 78 #define __get_type(b)     ((b & 0xef))
 79 
 80 #define __test_ea(b)      ((b & 0x01))
 81 #define __test_cr(b)      ((b & 0x02))
 82 #define __test_pf(b)      ((b & 0x10))
 83 
 84 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
 85 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
 86 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
 87 #define __srv_channel(dlci)    (dlci >> 1)
 88 #define __dir(dlci)            (dlci & 0x01)
 89 
 90 #define __len8(len)       (((len) << 1) | 1)
 91 #define __len16(len)      ((len) << 1)
 92 
 93 /* MCC macros */
 94 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
 95 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
 96 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
 97 
 98 /* RPN macros */
 99 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
100 #define __get_rpn_data_bits(line) ((line) & 0x3)
101 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
102 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
103 
104 static void rfcomm_schedule(void)
105 {
106         if (!rfcomm_thread)
107                 return;
108         wake_up_process(rfcomm_thread);
109 }
110 
111 static void rfcomm_session_put(struct rfcomm_session *s)
112 {
113         if (atomic_dec_and_test(&s->refcnt))
114                 rfcomm_session_del(s);
115 }
116 
117 /* ---- RFCOMM FCS computation ---- */
118 
119 /* reversed, 8-bit, poly=0x07 */
120 static unsigned char rfcomm_crc_table[256] = {
121         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
122         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
123         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
124         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
125 
126         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
127         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
128         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
129         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
130 
131         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
132         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
133         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
134         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
135 
136         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
137         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
138         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
139         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
140 
141         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
142         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
143         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
144         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
145 
146         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
147         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
148         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
149         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
150 
151         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
152         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
153         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
154         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
155 
156         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
157         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
158         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
159         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
160 };
161 
162 /* CRC on 2 bytes */
163 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
164 
165 /* FCS on 2 bytes */
166 static inline u8 __fcs(u8 *data)
167 {
168         return 0xff - __crc(data);
169 }
170 
171 /* FCS on 3 bytes */
172 static inline u8 __fcs2(u8 *data)
173 {
174         return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
175 }
176 
177 /* Check FCS */
178 static inline int __check_fcs(u8 *data, int type, u8 fcs)
179 {
180         u8 f = __crc(data);
181 
182         if (type != RFCOMM_UIH)
183                 f = rfcomm_crc_table[f ^ data[2]];
184 
185         return rfcomm_crc_table[f ^ fcs] != 0xcf;
186 }
187 
188 /* ---- L2CAP callbacks ---- */
189 static void rfcomm_l2state_change(struct sock *sk)
190 {
191         BT_DBG("%p state %d", sk, sk->sk_state);
192         rfcomm_schedule();
193 }
194 
195 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
196 {
197         BT_DBG("%p bytes %d", sk, bytes);
198         rfcomm_schedule();
199 }
200 
201 static int rfcomm_l2sock_create(struct socket **sock)
202 {
203         int err;
204 
205         BT_DBG("");
206 
207         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
208         if (!err) {
209                 struct sock *sk = (*sock)->sk;
210                 sk->sk_data_ready   = rfcomm_l2data_ready;
211                 sk->sk_state_change = rfcomm_l2state_change;
212         }
213         return err;
214 }
215 
216 static int rfcomm_check_security(struct rfcomm_dlc *d)
217 {
218         struct sock *sk = d->session->sock->sk;
219         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
220 
221         __u8 auth_type;
222 
223         switch (d->sec_level) {
224         case BT_SECURITY_HIGH:
225                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
226                 break;
227         case BT_SECURITY_MEDIUM:
228                 auth_type = HCI_AT_GENERAL_BONDING;
229                 break;
230         default:
231                 auth_type = HCI_AT_NO_BONDING;
232                 break;
233         }
234 
235         return hci_conn_security(conn->hcon, d->sec_level, auth_type);
236 }
237 
238 static void rfcomm_session_timeout(unsigned long arg)
239 {
240         struct rfcomm_session *s = (void *) arg;
241 
242         BT_DBG("session %p state %ld", s, s->state);
243 
244         set_bit(RFCOMM_TIMED_OUT, &s->flags);
245         rfcomm_schedule();
246 }
247 
248 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
249 {
250         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
251 
252         if (!mod_timer(&s->timer, jiffies + timeout))
253                 rfcomm_session_hold(s);
254 }
255 
256 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
257 {
258         BT_DBG("session %p state %ld", s, s->state);
259 
260         if (del_timer(&s->timer))
261                 rfcomm_session_put(s);
262 }
263 
264 /* ---- RFCOMM DLCs ---- */
265 static void rfcomm_dlc_timeout(unsigned long arg)
266 {
267         struct rfcomm_dlc *d = (void *) arg;
268 
269         BT_DBG("dlc %p state %ld", d, d->state);
270 
271         set_bit(RFCOMM_TIMED_OUT, &d->flags);
272         rfcomm_dlc_put(d);
273         rfcomm_schedule();
274 }
275 
276 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
277 {
278         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
279 
280         if (!mod_timer(&d->timer, jiffies + timeout))
281                 rfcomm_dlc_hold(d);
282 }
283 
284 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
285 {
286         BT_DBG("dlc %p state %ld", d, d->state);
287 
288         if (del_timer(&d->timer))
289                 rfcomm_dlc_put(d);
290 }
291 
292 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
293 {
294         BT_DBG("%p", d);
295 
296         d->state      = BT_OPEN;
297         d->flags      = 0;
298         d->mscex      = 0;
299         d->sec_level  = BT_SECURITY_LOW;
300         d->mtu        = RFCOMM_DEFAULT_MTU;
301         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
302 
303         d->cfc        = RFCOMM_CFC_DISABLED;
304         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
305 }
306 
307 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
308 {
309         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
310 
311         if (!d)
312                 return NULL;
313 
314         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
315 
316         skb_queue_head_init(&d->tx_queue);
317         spin_lock_init(&d->lock);
318         atomic_set(&d->refcnt, 1);
319 
320         rfcomm_dlc_clear_state(d);
321 
322         BT_DBG("%p", d);
323 
324         return d;
325 }
326 
327 void rfcomm_dlc_free(struct rfcomm_dlc *d)
328 {
329         BT_DBG("%p", d);
330 
331         skb_queue_purge(&d->tx_queue);
332         kfree(d);
333 }
334 
335 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
336 {
337         BT_DBG("dlc %p session %p", d, s);
338 
339         rfcomm_session_hold(s);
340 
341         rfcomm_session_clear_timer(s);
342         rfcomm_dlc_hold(d);
343         list_add(&d->list, &s->dlcs);
344         d->session = s;
345 }
346 
347 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
348 {
349         struct rfcomm_session *s = d->session;
350 
351         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
352 
353         list_del(&d->list);
354         d->session = NULL;
355         rfcomm_dlc_put(d);
356 
357         if (list_empty(&s->dlcs))
358                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
359 
360         rfcomm_session_put(s);
361 }
362 
363 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
364 {
365         struct rfcomm_dlc *d;
366 
367         list_for_each_entry(d, &s->dlcs, list)
368                 if (d->dlci == dlci)
369                         return d;
370 
371         return NULL;
372 }
373 
374 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
375 {
376         struct rfcomm_session *s;
377         int err = 0;
378         u8 dlci;
379 
380         BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
381                d, d->state, src, dst, channel);
382 
383         if (channel < 1 || channel > 30)
384                 return -EINVAL;
385 
386         if (d->state != BT_OPEN && d->state != BT_CLOSED)
387                 return 0;
388 
389         s = rfcomm_session_get(src, dst);
390         if (!s) {
391                 s = rfcomm_session_create(src, dst, d->sec_level, &err);
392                 if (!s)
393                         return err;
394         }
395 
396         dlci = __dlci(!s->initiator, channel);
397 
398         /* Check if DLCI already exists */
399         if (rfcomm_dlc_get(s, dlci))
400                 return -EBUSY;
401 
402         rfcomm_dlc_clear_state(d);
403 
404         d->dlci     = dlci;
405         d->addr     = __addr(s->initiator, dlci);
406         d->priority = 7;
407 
408         d->state = BT_CONFIG;
409         rfcomm_dlc_link(s, d);
410 
411         d->out = 1;
412 
413         d->mtu = s->mtu;
414         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
415 
416         if (s->state == BT_CONNECTED) {
417                 if (rfcomm_check_security(d))
418                         rfcomm_send_pn(s, 1, d);
419                 else
420                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
421         }
422 
423         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
424 
425         return 0;
426 }
427 
428 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
429 {
430         int r;
431 
432         rfcomm_lock();
433 
434         r = __rfcomm_dlc_open(d, src, dst, channel);
435 
436         rfcomm_unlock();
437         return r;
438 }
439 
440 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
441 {
442         struct rfcomm_session *s = d->session;
443         if (!s)
444                 return 0;
445 
446         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
447                         d, d->state, d->dlci, err, s);
448 
449         switch (d->state) {
450         case BT_CONNECT:
451         case BT_CONFIG:
452                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
453                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
454                         rfcomm_schedule();
455                         break;
456                 }
457                 /* Fall through */
458 
459         case BT_CONNECTED:
460                 d->state = BT_DISCONN;
461                 if (skb_queue_empty(&d->tx_queue)) {
462                         rfcomm_send_disc(s, d->dlci);
463                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
464                 } else {
465                         rfcomm_queue_disc(d);
466                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
467                 }
468                 break;
469 
470         case BT_OPEN:
471         case BT_CONNECT2:
472                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
473                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
474                         rfcomm_schedule();
475                         break;
476                 }
477                 /* Fall through */
478 
479         default:
480                 rfcomm_dlc_clear_timer(d);
481 
482                 rfcomm_dlc_lock(d);
483                 d->state = BT_CLOSED;
484                 d->state_change(d, err);
485                 rfcomm_dlc_unlock(d);
486 
487                 skb_queue_purge(&d->tx_queue);
488                 rfcomm_dlc_unlink(d);
489         }
490 
491         return 0;
492 }
493 
494 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
495 {
496         int r;
497 
498         rfcomm_lock();
499 
500         r = __rfcomm_dlc_close(d, err);
501 
502         rfcomm_unlock();
503         return r;
504 }
505 
506 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
507 {
508         int len = skb->len;
509 
510         if (d->state != BT_CONNECTED)
511                 return -ENOTCONN;
512 
513         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
514 
515         if (len > d->mtu)
516                 return -EINVAL;
517 
518         rfcomm_make_uih(skb, d->addr);
519         skb_queue_tail(&d->tx_queue, skb);
520 
521         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
522                 rfcomm_schedule();
523         return len;
524 }
525 
526 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
527 {
528         BT_DBG("dlc %p state %ld", d, d->state);
529 
530         if (!d->cfc) {
531                 d->v24_sig |= RFCOMM_V24_FC;
532                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
533         }
534         rfcomm_schedule();
535 }
536 
537 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
538 {
539         BT_DBG("dlc %p state %ld", d, d->state);
540 
541         if (!d->cfc) {
542                 d->v24_sig &= ~RFCOMM_V24_FC;
543                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
544         }
545         rfcomm_schedule();
546 }
547 
548 /*
549    Set/get modem status functions use _local_ status i.e. what we report
550    to the other side.
551    Remote status is provided by dlc->modem_status() callback.
552  */
553 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
554 {
555         BT_DBG("dlc %p state %ld v24_sig 0x%x",
556                         d, d->state, v24_sig);
557 
558         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
559                 v24_sig |= RFCOMM_V24_FC;
560         else
561                 v24_sig &= ~RFCOMM_V24_FC;
562 
563         d->v24_sig = v24_sig;
564 
565         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
566                 rfcomm_schedule();
567 
568         return 0;
569 }
570 
571 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
572 {
573         BT_DBG("dlc %p state %ld v24_sig 0x%x",
574                         d, d->state, d->v24_sig);
575 
576         *v24_sig = d->v24_sig;
577         return 0;
578 }
579 
580 /* ---- RFCOMM sessions ---- */
581 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
582 {
583         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
584 
585         if (!s)
586                 return NULL;
587 
588         BT_DBG("session %p sock %p", s, sock);
589 
590         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
591 
592         INIT_LIST_HEAD(&s->dlcs);
593         s->state = state;
594         s->sock  = sock;
595 
596         s->mtu = RFCOMM_DEFAULT_MTU;
597         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
598 
599         /* Do not increment module usage count for listening sessions.
600          * Otherwise we won't be able to unload the module. */
601         if (state != BT_LISTEN)
602                 if (!try_module_get(THIS_MODULE)) {
603                         kfree(s);
604                         return NULL;
605                 }
606 
607         list_add(&s->list, &session_list);
608 
609         return s;
610 }
611 
612 static void rfcomm_session_del(struct rfcomm_session *s)
613 {
614         int state = s->state;
615 
616         BT_DBG("session %p state %ld", s, s->state);
617 
618         list_del(&s->list);
619 
620         if (state == BT_CONNECTED)
621                 rfcomm_send_disc(s, 0);
622 
623         rfcomm_session_clear_timer(s);
624         sock_release(s->sock);
625         kfree(s);
626 
627         if (state != BT_LISTEN)
628                 module_put(THIS_MODULE);
629 }
630 
631 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
632 {
633         struct rfcomm_session *s;
634         struct list_head *p, *n;
635         struct bt_sock *sk;
636         list_for_each_safe(p, n, &session_list) {
637                 s = list_entry(p, struct rfcomm_session, list);
638                 sk = bt_sk(s->sock->sk);
639 
640                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
641                                 !bacmp(&sk->dst, dst))
642                         return s;
643         }
644         return NULL;
645 }
646 
647 static void rfcomm_session_close(struct rfcomm_session *s, int err)
648 {
649         struct rfcomm_dlc *d;
650         struct list_head *p, *n;
651 
652         BT_DBG("session %p state %ld err %d", s, s->state, err);
653 
654         rfcomm_session_hold(s);
655 
656         s->state = BT_CLOSED;
657 
658         /* Close all dlcs */
659         list_for_each_safe(p, n, &s->dlcs) {
660                 d = list_entry(p, struct rfcomm_dlc, list);
661                 d->state = BT_CLOSED;
662                 __rfcomm_dlc_close(d, err);
663         }
664 
665         rfcomm_session_clear_timer(s);
666         rfcomm_session_put(s);
667 }
668 
669 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
670                                                         bdaddr_t *dst,
671                                                         u8 sec_level,
672                                                         int *err)
673 {
674         struct rfcomm_session *s = NULL;
675         struct sockaddr_l2 addr;
676         struct socket *sock;
677         struct sock *sk;
678 
679         BT_DBG("%pMR -> %pMR", src, dst);
680 
681         *err = rfcomm_l2sock_create(&sock);
682         if (*err < 0)
683                 return NULL;
684 
685         bacpy(&addr.l2_bdaddr, src);
686         addr.l2_family = AF_BLUETOOTH;
687         addr.l2_psm    = 0;
688         addr.l2_cid    = 0;
689         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
690         if (*err < 0)
691                 goto failed;
692 
693         /* Set L2CAP options */
694         sk = sock->sk;
695         lock_sock(sk);
696         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
697         l2cap_pi(sk)->chan->sec_level = sec_level;
698         if (l2cap_ertm)
699                 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
700         release_sock(sk);
701 
702         s = rfcomm_session_add(sock, BT_BOUND);
703         if (!s) {
704                 *err = -ENOMEM;
705                 goto failed;
706         }
707 
708         s->initiator = 1;
709 
710         bacpy(&addr.l2_bdaddr, dst);
711         addr.l2_family = AF_BLUETOOTH;
712         addr.l2_psm    = __constant_cpu_to_le16(RFCOMM_PSM);
713         addr.l2_cid    = 0;
714         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
715         if (*err == 0 || *err == -EINPROGRESS)
716                 return s;
717 
718         rfcomm_session_del(s);
719         return NULL;
720 
721 failed:
722         sock_release(sock);
723         return NULL;
724 }
725 
726 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
727 {
728         struct sock *sk = s->sock->sk;
729         if (src)
730                 bacpy(src, &bt_sk(sk)->src);
731         if (dst)
732                 bacpy(dst, &bt_sk(sk)->dst);
733 }
734 
735 /* ---- RFCOMM frame sending ---- */
736 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
737 {
738         struct kvec iv = { data, len };
739         struct msghdr msg;
740 
741         BT_DBG("session %p len %d", s, len);
742 
743         memset(&msg, 0, sizeof(msg));
744 
745         return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
746 }
747 
748 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
749 {
750         BT_DBG("%p cmd %u", s, cmd->ctrl);
751 
752         return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
753 }
754 
755 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
756 {
757         struct rfcomm_cmd cmd;
758 
759         BT_DBG("%p dlci %d", s, dlci);
760 
761         cmd.addr = __addr(s->initiator, dlci);
762         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
763         cmd.len  = __len8(0);
764         cmd.fcs  = __fcs2((u8 *) &cmd);
765 
766         return rfcomm_send_cmd(s, &cmd);
767 }
768 
769 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
770 {
771         struct rfcomm_cmd cmd;
772 
773         BT_DBG("%p dlci %d", s, dlci);
774 
775         cmd.addr = __addr(!s->initiator, dlci);
776         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
777         cmd.len  = __len8(0);
778         cmd.fcs  = __fcs2((u8 *) &cmd);
779 
780         return rfcomm_send_cmd(s, &cmd);
781 }
782 
783 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
784 {
785         struct rfcomm_cmd cmd;
786 
787         BT_DBG("%p dlci %d", s, dlci);
788 
789         cmd.addr = __addr(s->initiator, dlci);
790         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
791         cmd.len  = __len8(0);
792         cmd.fcs  = __fcs2((u8 *) &cmd);
793 
794         return rfcomm_send_cmd(s, &cmd);
795 }
796 
797 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
798 {
799         struct rfcomm_cmd *cmd;
800         struct sk_buff *skb;
801 
802         BT_DBG("dlc %p dlci %d", d, d->dlci);
803 
804         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
805         if (!skb)
806                 return -ENOMEM;
807 
808         cmd = (void *) __skb_put(skb, sizeof(*cmd));
809         cmd->addr = d->addr;
810         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
811         cmd->len  = __len8(0);
812         cmd->fcs  = __fcs2((u8 *) cmd);
813 
814         skb_queue_tail(&d->tx_queue, skb);
815         rfcomm_schedule();
816         return 0;
817 }
818 
819 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
820 {
821         struct rfcomm_cmd cmd;
822 
823         BT_DBG("%p dlci %d", s, dlci);
824 
825         cmd.addr = __addr(!s->initiator, dlci);
826         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
827         cmd.len  = __len8(0);
828         cmd.fcs  = __fcs2((u8 *) &cmd);
829 
830         return rfcomm_send_cmd(s, &cmd);
831 }
832 
833 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
834 {
835         struct rfcomm_hdr *hdr;
836         struct rfcomm_mcc *mcc;
837         u8 buf[16], *ptr = buf;
838 
839         BT_DBG("%p cr %d type %d", s, cr, type);
840 
841         hdr = (void *) ptr; ptr += sizeof(*hdr);
842         hdr->addr = __addr(s->initiator, 0);
843         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
844         hdr->len  = __len8(sizeof(*mcc) + 1);
845 
846         mcc = (void *) ptr; ptr += sizeof(*mcc);
847         mcc->type = __mcc_type(cr, RFCOMM_NSC);
848         mcc->len  = __len8(1);
849 
850         /* Type that we didn't like */
851         *ptr = __mcc_type(cr, type); ptr++;
852 
853         *ptr = __fcs(buf); ptr++;
854 
855         return rfcomm_send_frame(s, buf, ptr - buf);
856 }
857 
858 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
859 {
860         struct rfcomm_hdr *hdr;
861         struct rfcomm_mcc *mcc;
862         struct rfcomm_pn  *pn;
863         u8 buf[16], *ptr = buf;
864 
865         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
866 
867         hdr = (void *) ptr; ptr += sizeof(*hdr);
868         hdr->addr = __addr(s->initiator, 0);
869         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
870         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
871 
872         mcc = (void *) ptr; ptr += sizeof(*mcc);
873         mcc->type = __mcc_type(cr, RFCOMM_PN);
874         mcc->len  = __len8(sizeof(*pn));
875 
876         pn = (void *) ptr; ptr += sizeof(*pn);
877         pn->dlci        = d->dlci;
878         pn->priority    = d->priority;
879         pn->ack_timer   = 0;
880         pn->max_retrans = 0;
881 
882         if (s->cfc) {
883                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
884                 pn->credits = RFCOMM_DEFAULT_CREDITS;
885         } else {
886                 pn->flow_ctrl = 0;
887                 pn->credits   = 0;
888         }
889 
890         if (cr && channel_mtu >= 0)
891                 pn->mtu = cpu_to_le16(channel_mtu);
892         else
893                 pn->mtu = cpu_to_le16(d->mtu);
894 
895         *ptr = __fcs(buf); ptr++;
896 
897         return rfcomm_send_frame(s, buf, ptr - buf);
898 }
899 
900 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
901                         u8 bit_rate, u8 data_bits, u8 stop_bits,
902                         u8 parity, u8 flow_ctrl_settings,
903                         u8 xon_char, u8 xoff_char, u16 param_mask)
904 {
905         struct rfcomm_hdr *hdr;
906         struct rfcomm_mcc *mcc;
907         struct rfcomm_rpn *rpn;
908         u8 buf[16], *ptr = buf;
909 
910         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
911                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
912                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
913                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
914 
915         hdr = (void *) ptr; ptr += sizeof(*hdr);
916         hdr->addr = __addr(s->initiator, 0);
917         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
918         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
919 
920         mcc = (void *) ptr; ptr += sizeof(*mcc);
921         mcc->type = __mcc_type(cr, RFCOMM_RPN);
922         mcc->len  = __len8(sizeof(*rpn));
923 
924         rpn = (void *) ptr; ptr += sizeof(*rpn);
925         rpn->dlci          = __addr(1, dlci);
926         rpn->bit_rate      = bit_rate;
927         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
928         rpn->flow_ctrl     = flow_ctrl_settings;
929         rpn->xon_char      = xon_char;
930         rpn->xoff_char     = xoff_char;
931         rpn->param_mask    = cpu_to_le16(param_mask);
932 
933         *ptr = __fcs(buf); ptr++;
934 
935         return rfcomm_send_frame(s, buf, ptr - buf);
936 }
937 
938 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
939 {
940         struct rfcomm_hdr *hdr;
941         struct rfcomm_mcc *mcc;
942         struct rfcomm_rls *rls;
943         u8 buf[16], *ptr = buf;
944 
945         BT_DBG("%p cr %d status 0x%x", s, cr, status);
946 
947         hdr = (void *) ptr; ptr += sizeof(*hdr);
948         hdr->addr = __addr(s->initiator, 0);
949         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
950         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
951 
952         mcc = (void *) ptr; ptr += sizeof(*mcc);
953         mcc->type = __mcc_type(cr, RFCOMM_RLS);
954         mcc->len  = __len8(sizeof(*rls));
955 
956         rls = (void *) ptr; ptr += sizeof(*rls);
957         rls->dlci   = __addr(1, dlci);
958         rls->status = status;
959 
960         *ptr = __fcs(buf); ptr++;
961 
962         return rfcomm_send_frame(s, buf, ptr - buf);
963 }
964 
965 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
966 {
967         struct rfcomm_hdr *hdr;
968         struct rfcomm_mcc *mcc;
969         struct rfcomm_msc *msc;
970         u8 buf[16], *ptr = buf;
971 
972         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
973 
974         hdr = (void *) ptr; ptr += sizeof(*hdr);
975         hdr->addr = __addr(s->initiator, 0);
976         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
977         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
978 
979         mcc = (void *) ptr; ptr += sizeof(*mcc);
980         mcc->type = __mcc_type(cr, RFCOMM_MSC);
981         mcc->len  = __len8(sizeof(*msc));
982 
983         msc = (void *) ptr; ptr += sizeof(*msc);
984         msc->dlci    = __addr(1, dlci);
985         msc->v24_sig = v24_sig | 0x01;
986 
987         *ptr = __fcs(buf); ptr++;
988 
989         return rfcomm_send_frame(s, buf, ptr - buf);
990 }
991 
992 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
993 {
994         struct rfcomm_hdr *hdr;
995         struct rfcomm_mcc *mcc;
996         u8 buf[16], *ptr = buf;
997 
998         BT_DBG("%p cr %d", s, cr);
999 
1000         hdr = (void *) ptr; ptr += sizeof(*hdr);
1001         hdr->addr = __addr(s->initiator, 0);
1002         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1003         hdr->len  = __len8(sizeof(*mcc));
1004 
1005         mcc = (void *) ptr; ptr += sizeof(*mcc);
1006         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1007         mcc->len  = __len8(0);
1008 
1009         *ptr = __fcs(buf); ptr++;
1010 
1011         return rfcomm_send_frame(s, buf, ptr - buf);
1012 }
1013 
1014 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1015 {
1016         struct rfcomm_hdr *hdr;
1017         struct rfcomm_mcc *mcc;
1018         u8 buf[16], *ptr = buf;
1019 
1020         BT_DBG("%p cr %d", s, cr);
1021 
1022         hdr = (void *) ptr; ptr += sizeof(*hdr);
1023         hdr->addr = __addr(s->initiator, 0);
1024         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1025         hdr->len  = __len8(sizeof(*mcc));
1026 
1027         mcc = (void *) ptr; ptr += sizeof(*mcc);
1028         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1029         mcc->len  = __len8(0);
1030 
1031         *ptr = __fcs(buf); ptr++;
1032 
1033         return rfcomm_send_frame(s, buf, ptr - buf);
1034 }
1035 
1036 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1037 {
1038         struct socket *sock = s->sock;
1039         struct kvec iv[3];
1040         struct msghdr msg;
1041         unsigned char hdr[5], crc[1];
1042 
1043         if (len > 125)
1044                 return -EINVAL;
1045 
1046         BT_DBG("%p cr %d", s, cr);
1047 
1048         hdr[0] = __addr(s->initiator, 0);
1049         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1050         hdr[2] = 0x01 | ((len + 2) << 1);
1051         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1052         hdr[4] = 0x01 | (len << 1);
1053 
1054         crc[0] = __fcs(hdr);
1055 
1056         iv[0].iov_base = hdr;
1057         iv[0].iov_len  = 5;
1058         iv[1].iov_base = pattern;
1059         iv[1].iov_len  = len;
1060         iv[2].iov_base = crc;
1061         iv[2].iov_len  = 1;
1062 
1063         memset(&msg, 0, sizeof(msg));
1064 
1065         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1066 }
1067 
1068 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1069 {
1070         struct rfcomm_hdr *hdr;
1071         u8 buf[16], *ptr = buf;
1072 
1073         BT_DBG("%p addr %d credits %d", s, addr, credits);
1074 
1075         hdr = (void *) ptr; ptr += sizeof(*hdr);
1076         hdr->addr = addr;
1077         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1078         hdr->len  = __len8(0);
1079 
1080         *ptr = credits; ptr++;
1081 
1082         *ptr = __fcs(buf); ptr++;
1083 
1084         return rfcomm_send_frame(s, buf, ptr - buf);
1085 }
1086 
1087 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1088 {
1089         struct rfcomm_hdr *hdr;
1090         int len = skb->len;
1091         u8 *crc;
1092 
1093         if (len > 127) {
1094                 hdr = (void *) skb_push(skb, 4);
1095                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1096         } else {
1097                 hdr = (void *) skb_push(skb, 3);
1098                 hdr->len = __len8(len);
1099         }
1100         hdr->addr = addr;
1101         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1102 
1103         crc = skb_put(skb, 1);
1104         *crc = __fcs((void *) hdr);
1105 }
1106 
1107 /* ---- RFCOMM frame reception ---- */
1108 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1109 {
1110         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1111 
1112         if (dlci) {
1113                 /* Data channel */
1114                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1115                 if (!d) {
1116                         rfcomm_send_dm(s, dlci);
1117                         return 0;
1118                 }
1119 
1120                 switch (d->state) {
1121                 case BT_CONNECT:
1122                         rfcomm_dlc_clear_timer(d);
1123 
1124                         rfcomm_dlc_lock(d);
1125                         d->state = BT_CONNECTED;
1126                         d->state_change(d, 0);
1127                         rfcomm_dlc_unlock(d);
1128 
1129                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1130                         break;
1131 
1132                 case BT_DISCONN:
1133                         d->state = BT_CLOSED;
1134                         __rfcomm_dlc_close(d, 0);
1135 
1136                         if (list_empty(&s->dlcs)) {
1137                                 s->state = BT_DISCONN;
1138                                 rfcomm_send_disc(s, 0);
1139                                 rfcomm_session_clear_timer(s);
1140                         }
1141 
1142                         break;
1143                 }
1144         } else {
1145                 /* Control channel */
1146                 switch (s->state) {
1147                 case BT_CONNECT:
1148                         s->state = BT_CONNECTED;
1149                         rfcomm_process_connect(s);
1150                         break;
1151 
1152                 case BT_DISCONN:
1153                         /* rfcomm_session_put is called later so don't do
1154                          * anything here otherwise we will mess up the session
1155                          * reference counter:
1156                          *
1157                          * (a) when we are the initiator dlc_unlink will drive
1158                          * the reference counter to 0 (there is no initial put
1159                          * after session_add)
1160                          *
1161                          * (b) when we are not the initiator rfcomm_rx_process
1162                          * will explicitly call put to balance the initial hold
1163                          * done after session add.
1164                          */
1165                         break;
1166                 }
1167         }
1168         return 0;
1169 }
1170 
1171 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1172 {
1173         int err = 0;
1174 
1175         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1176 
1177         if (dlci) {
1178                 /* Data DLC */
1179                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1180                 if (d) {
1181                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1182                                 err = ECONNREFUSED;
1183                         else
1184                                 err = ECONNRESET;
1185 
1186                         d->state = BT_CLOSED;
1187                         __rfcomm_dlc_close(d, err);
1188                 }
1189         } else {
1190                 if (s->state == BT_CONNECT)
1191                         err = ECONNREFUSED;
1192                 else
1193                         err = ECONNRESET;
1194 
1195                 s->state = BT_CLOSED;
1196                 rfcomm_session_close(s, err);
1197         }
1198         return 0;
1199 }
1200 
1201 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1202 {
1203         int err = 0;
1204 
1205         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1206 
1207         if (dlci) {
1208                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1209                 if (d) {
1210                         rfcomm_send_ua(s, dlci);
1211 
1212                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1213                                 err = ECONNREFUSED;
1214                         else
1215                                 err = ECONNRESET;
1216 
1217                         d->state = BT_CLOSED;
1218                         __rfcomm_dlc_close(d, err);
1219                 } else
1220                         rfcomm_send_dm(s, dlci);
1221 
1222         } else {
1223                 rfcomm_send_ua(s, 0);
1224 
1225                 if (s->state == BT_CONNECT)
1226                         err = ECONNREFUSED;
1227                 else
1228                         err = ECONNRESET;
1229 
1230                 s->state = BT_CLOSED;
1231                 rfcomm_session_close(s, err);
1232         }
1233 
1234         return 0;
1235 }
1236 
1237 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1238 {
1239         struct sock *sk = d->session->sock->sk;
1240         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1241 
1242         BT_DBG("dlc %p", d);
1243 
1244         rfcomm_send_ua(d->session, d->dlci);
1245 
1246         rfcomm_dlc_clear_timer(d);
1247 
1248         rfcomm_dlc_lock(d);
1249         d->state = BT_CONNECTED;
1250         d->state_change(d, 0);
1251         rfcomm_dlc_unlock(d);
1252 
1253         if (d->role_switch)
1254                 hci_conn_switch_role(conn->hcon, 0x00);
1255 
1256         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1257 }
1258 
1259 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1260 {
1261         if (rfcomm_check_security(d)) {
1262                 if (d->defer_setup) {
1263                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1264                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1265 
1266                         rfcomm_dlc_lock(d);
1267                         d->state = BT_CONNECT2;
1268                         d->state_change(d, 0);
1269                         rfcomm_dlc_unlock(d);
1270                 } else
1271                         rfcomm_dlc_accept(d);
1272         } else {
1273                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1274                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1275         }
1276 }
1277 
1278 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1279 {
1280         struct rfcomm_dlc *d;
1281         u8 channel;
1282 
1283         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1284 
1285         if (!dlci) {
1286                 rfcomm_send_ua(s, 0);
1287 
1288                 if (s->state == BT_OPEN) {
1289                         s->state = BT_CONNECTED;
1290                         rfcomm_process_connect(s);
1291                 }
1292                 return 0;
1293         }
1294 
1295         /* Check if DLC exists */
1296         d = rfcomm_dlc_get(s, dlci);
1297         if (d) {
1298                 if (d->state == BT_OPEN) {
1299                         /* DLC was previously opened by PN request */
1300                         rfcomm_check_accept(d);
1301                 }
1302                 return 0;
1303         }
1304 
1305         /* Notify socket layer about incoming connection */
1306         channel = __srv_channel(dlci);
1307         if (rfcomm_connect_ind(s, channel, &d)) {
1308                 d->dlci = dlci;
1309                 d->addr = __addr(s->initiator, dlci);
1310                 rfcomm_dlc_link(s, d);
1311 
1312                 rfcomm_check_accept(d);
1313         } else {
1314                 rfcomm_send_dm(s, dlci);
1315         }
1316 
1317         return 0;
1318 }
1319 
1320 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1321 {
1322         struct rfcomm_session *s = d->session;
1323 
1324         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1325                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1326 
1327         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1328                                                 pn->flow_ctrl == 0xe0) {
1329                 d->cfc = RFCOMM_CFC_ENABLED;
1330                 d->tx_credits = pn->credits;
1331         } else {
1332                 d->cfc = RFCOMM_CFC_DISABLED;
1333                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1334         }
1335 
1336         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1337                 s->cfc = d->cfc;
1338 
1339         d->priority = pn->priority;
1340 
1341         d->mtu = __le16_to_cpu(pn->mtu);
1342 
1343         if (cr && d->mtu > s->mtu)
1344                 d->mtu = s->mtu;
1345 
1346         return 0;
1347 }
1348 
1349 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1350 {
1351         struct rfcomm_pn *pn = (void *) skb->data;
1352         struct rfcomm_dlc *d;
1353         u8 dlci = pn->dlci;
1354 
1355         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1356 
1357         if (!dlci)
1358                 return 0;
1359 
1360         d = rfcomm_dlc_get(s, dlci);
1361         if (d) {
1362                 if (cr) {
1363                         /* PN request */
1364                         rfcomm_apply_pn(d, cr, pn);
1365                         rfcomm_send_pn(s, 0, d);
1366                 } else {
1367                         /* PN response */
1368                         switch (d->state) {
1369                         case BT_CONFIG:
1370                                 rfcomm_apply_pn(d, cr, pn);
1371 
1372                                 d->state = BT_CONNECT;
1373                                 rfcomm_send_sabm(s, d->dlci);
1374                                 break;
1375                         }
1376                 }
1377         } else {
1378                 u8 channel = __srv_channel(dlci);
1379 
1380                 if (!cr)
1381                         return 0;
1382 
1383                 /* PN request for non existing DLC.
1384                  * Assume incoming connection. */
1385                 if (rfcomm_connect_ind(s, channel, &d)) {
1386                         d->dlci = dlci;
1387                         d->addr = __addr(s->initiator, dlci);
1388                         rfcomm_dlc_link(s, d);
1389 
1390                         rfcomm_apply_pn(d, cr, pn);
1391 
1392                         d->state = BT_OPEN;
1393                         rfcomm_send_pn(s, 0, d);
1394                 } else {
1395                         rfcomm_send_dm(s, dlci);
1396                 }
1397         }
1398         return 0;
1399 }
1400 
1401 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1402 {
1403         struct rfcomm_rpn *rpn = (void *) skb->data;
1404         u8 dlci = __get_dlci(rpn->dlci);
1405 
1406         u8 bit_rate  = 0;
1407         u8 data_bits = 0;
1408         u8 stop_bits = 0;
1409         u8 parity    = 0;
1410         u8 flow_ctrl = 0;
1411         u8 xon_char  = 0;
1412         u8 xoff_char = 0;
1413         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1414 
1415         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1416                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1417                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1418 
1419         if (!cr)
1420                 return 0;
1421 
1422         if (len == 1) {
1423                 /* This is a request, return default (according to ETSI TS 07.10) settings */
1424                 bit_rate  = RFCOMM_RPN_BR_9600;
1425                 data_bits = RFCOMM_RPN_DATA_8;
1426                 stop_bits = RFCOMM_RPN_STOP_1;
1427                 parity    = RFCOMM_RPN_PARITY_NONE;
1428                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1429                 xon_char  = RFCOMM_RPN_XON_CHAR;
1430                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1431                 goto rpn_out;
1432         }
1433 
1434         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1435          * no parity, no flow control lines, normal XON/XOFF chars */
1436 
1437         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1438                 bit_rate = rpn->bit_rate;
1439                 if (bit_rate > RFCOMM_RPN_BR_230400) {
1440                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1441                         bit_rate = RFCOMM_RPN_BR_9600;
1442                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1443                 }
1444         }
1445 
1446         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1447                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1448                 if (data_bits != RFCOMM_RPN_DATA_8) {
1449                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1450                         data_bits = RFCOMM_RPN_DATA_8;
1451                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1452                 }
1453         }
1454 
1455         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1456                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1457                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1458                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1459                         stop_bits = RFCOMM_RPN_STOP_1;
1460                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1461                 }
1462         }
1463 
1464         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1465                 parity = __get_rpn_parity(rpn->line_settings);
1466                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1467                         BT_DBG("RPN parity mismatch 0x%x", parity);
1468                         parity = RFCOMM_RPN_PARITY_NONE;
1469                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1470                 }
1471         }
1472 
1473         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1474                 flow_ctrl = rpn->flow_ctrl;
1475                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1476                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1477                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1478                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1479                 }
1480         }
1481 
1482         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1483                 xon_char = rpn->xon_char;
1484                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1485                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1486                         xon_char = RFCOMM_RPN_XON_CHAR;
1487                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1488                 }
1489         }
1490 
1491         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1492                 xoff_char = rpn->xoff_char;
1493                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1494                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1495                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1496                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1497                 }
1498         }
1499 
1500 rpn_out:
1501         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1502                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1503 
1504         return 0;
1505 }
1506 
1507 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1508 {
1509         struct rfcomm_rls *rls = (void *) skb->data;
1510         u8 dlci = __get_dlci(rls->dlci);
1511 
1512         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1513 
1514         if (!cr)
1515                 return 0;
1516 
1517         /* We should probably do something with this information here. But
1518          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1519          * mandatory to recognise and respond to RLS */
1520 
1521         rfcomm_send_rls(s, 0, dlci, rls->status);
1522 
1523         return 0;
1524 }
1525 
1526 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1527 {
1528         struct rfcomm_msc *msc = (void *) skb->data;
1529         struct rfcomm_dlc *d;
1530         u8 dlci = __get_dlci(msc->dlci);
1531 
1532         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1533 
1534         d = rfcomm_dlc_get(s, dlci);
1535         if (!d)
1536                 return 0;
1537 
1538         if (cr) {
1539                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1540                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1541                 else
1542                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1543 
1544                 rfcomm_dlc_lock(d);
1545 
1546                 d->remote_v24_sig = msc->v24_sig;
1547 
1548                 if (d->modem_status)
1549                         d->modem_status(d, msc->v24_sig);
1550 
1551                 rfcomm_dlc_unlock(d);
1552 
1553                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1554 
1555                 d->mscex |= RFCOMM_MSCEX_RX;
1556         } else
1557                 d->mscex |= RFCOMM_MSCEX_TX;
1558 
1559         return 0;
1560 }
1561 
1562 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1563 {
1564         struct rfcomm_mcc *mcc = (void *) skb->data;
1565         u8 type, cr, len;
1566 
1567         cr   = __test_cr(mcc->type);
1568         type = __get_mcc_type(mcc->type);
1569         len  = __get_mcc_len(mcc->len);
1570 
1571         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1572 
1573         skb_pull(skb, 2);
1574 
1575         switch (type) {
1576         case RFCOMM_PN:
1577                 rfcomm_recv_pn(s, cr, skb);
1578                 break;
1579 
1580         case RFCOMM_RPN:
1581                 rfcomm_recv_rpn(s, cr, len, skb);
1582                 break;
1583 
1584         case RFCOMM_RLS:
1585                 rfcomm_recv_rls(s, cr, skb);
1586                 break;
1587 
1588         case RFCOMM_MSC:
1589                 rfcomm_recv_msc(s, cr, skb);
1590                 break;
1591 
1592         case RFCOMM_FCOFF:
1593                 if (cr) {
1594                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1595                         rfcomm_send_fcoff(s, 0);
1596                 }
1597                 break;
1598 
1599         case RFCOMM_FCON:
1600                 if (cr) {
1601                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1602                         rfcomm_send_fcon(s, 0);
1603                 }
1604                 break;
1605 
1606         case RFCOMM_TEST:
1607                 if (cr)
1608                         rfcomm_send_test(s, 0, skb->data, skb->len);
1609                 break;
1610 
1611         case RFCOMM_NSC:
1612                 break;
1613 
1614         default:
1615                 BT_ERR("Unknown control type 0x%02x", type);
1616                 rfcomm_send_nsc(s, cr, type);
1617                 break;
1618         }
1619         return 0;
1620 }
1621 
1622 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1623 {
1624         struct rfcomm_dlc *d;
1625 
1626         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1627 
1628         d = rfcomm_dlc_get(s, dlci);
1629         if (!d) {
1630                 rfcomm_send_dm(s, dlci);
1631                 goto drop;
1632         }
1633 
1634         if (pf && d->cfc) {
1635                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1636 
1637                 d->tx_credits += credits;
1638                 if (d->tx_credits)
1639                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1640         }
1641 
1642         if (skb->len && d->state == BT_CONNECTED) {
1643                 rfcomm_dlc_lock(d);
1644                 d->rx_credits--;
1645                 d->data_ready(d, skb);
1646                 rfcomm_dlc_unlock(d);
1647                 return 0;
1648         }
1649 
1650 drop:
1651         kfree_skb(skb);
1652         return 0;
1653 }
1654 
1655 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1656 {
1657         struct rfcomm_hdr *hdr = (void *) skb->data;
1658         u8 type, dlci, fcs;
1659 
1660         dlci = __get_dlci(hdr->addr);
1661         type = __get_type(hdr->ctrl);
1662 
1663         /* Trim FCS */
1664         skb->len--; skb->tail--;
1665         fcs = *(u8 *)skb_tail_pointer(skb);
1666 
1667         if (__check_fcs(skb->data, type, fcs)) {
1668                 BT_ERR("bad checksum in packet");
1669                 kfree_skb(skb);
1670                 return -EILSEQ;
1671         }
1672 
1673         if (__test_ea(hdr->len))
1674                 skb_pull(skb, 3);
1675         else
1676                 skb_pull(skb, 4);
1677 
1678         switch (type) {
1679         case RFCOMM_SABM:
1680                 if (__test_pf(hdr->ctrl))
1681                         rfcomm_recv_sabm(s, dlci);
1682                 break;
1683 
1684         case RFCOMM_DISC:
1685                 if (__test_pf(hdr->ctrl))
1686                         rfcomm_recv_disc(s, dlci);
1687                 break;
1688 
1689         case RFCOMM_UA:
1690                 if (__test_pf(hdr->ctrl))
1691                         rfcomm_recv_ua(s, dlci);
1692                 break;
1693 
1694         case RFCOMM_DM:
1695                 rfcomm_recv_dm(s, dlci);
1696                 break;
1697 
1698         case RFCOMM_UIH:
1699                 if (dlci)
1700                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1701 
1702                 rfcomm_recv_mcc(s, skb);
1703                 break;
1704 
1705         default:
1706                 BT_ERR("Unknown packet type 0x%02x", type);
1707                 break;
1708         }
1709         kfree_skb(skb);
1710         return 0;
1711 }
1712 
1713 /* ---- Connection and data processing ---- */
1714 
1715 static void rfcomm_process_connect(struct rfcomm_session *s)
1716 {
1717         struct rfcomm_dlc *d;
1718         struct list_head *p, *n;
1719 
1720         BT_DBG("session %p state %ld", s, s->state);
1721 
1722         list_for_each_safe(p, n, &s->dlcs) {
1723                 d = list_entry(p, struct rfcomm_dlc, list);
1724                 if (d->state == BT_CONFIG) {
1725                         d->mtu = s->mtu;
1726                         if (rfcomm_check_security(d)) {
1727                                 rfcomm_send_pn(s, 1, d);
1728                         } else {
1729                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1730                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1731                         }
1732                 }
1733         }
1734 }
1735 
1736 /* Send data queued for the DLC.
1737  * Return number of frames left in the queue.
1738  */
1739 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1740 {
1741         struct sk_buff *skb;
1742         int err;
1743 
1744         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1745                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1746 
1747         /* Send pending MSC */
1748         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1749                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1750 
1751         if (d->cfc) {
1752                 /* CFC enabled.
1753                  * Give them some credits */
1754                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1755                                 d->rx_credits <= (d->cfc >> 2)) {
1756                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1757                         d->rx_credits = d->cfc;
1758                 }
1759         } else {
1760                 /* CFC disabled.
1761                  * Give ourselves some credits */
1762                 d->tx_credits = 5;
1763         }
1764 
1765         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1766                 return skb_queue_len(&d->tx_queue);
1767 
1768         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1769                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1770                 if (err < 0) {
1771                         skb_queue_head(&d->tx_queue, skb);
1772                         break;
1773                 }
1774                 kfree_skb(skb);
1775                 d->tx_credits--;
1776         }
1777 
1778         if (d->cfc && !d->tx_credits) {
1779                 /* We're out of TX credits.
1780                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1781                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1782         }
1783 
1784         return skb_queue_len(&d->tx_queue);
1785 }
1786 
1787 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1788 {
1789         struct rfcomm_dlc *d;
1790         struct list_head *p, *n;
1791 
1792         BT_DBG("session %p state %ld", s, s->state);
1793 
1794         list_for_each_safe(p, n, &s->dlcs) {
1795                 d = list_entry(p, struct rfcomm_dlc, list);
1796 
1797                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1798                         __rfcomm_dlc_close(d, ETIMEDOUT);
1799                         continue;
1800                 }
1801 
1802                 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1803                         __rfcomm_dlc_close(d, ECONNREFUSED);
1804                         continue;
1805                 }
1806 
1807                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1808                         rfcomm_dlc_clear_timer(d);
1809                         if (d->out) {
1810                                 rfcomm_send_pn(s, 1, d);
1811                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1812                         } else {
1813                                 if (d->defer_setup) {
1814                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1815                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1816 
1817                                         rfcomm_dlc_lock(d);
1818                                         d->state = BT_CONNECT2;
1819                                         d->state_change(d, 0);
1820                                         rfcomm_dlc_unlock(d);
1821                                 } else
1822                                         rfcomm_dlc_accept(d);
1823                         }
1824                         continue;
1825                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1826                         rfcomm_dlc_clear_timer(d);
1827                         if (!d->out)
1828                                 rfcomm_send_dm(s, d->dlci);
1829                         else
1830                                 d->state = BT_CLOSED;
1831                         __rfcomm_dlc_close(d, ECONNREFUSED);
1832                         continue;
1833                 }
1834 
1835                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1836                         continue;
1837 
1838                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1839                         continue;
1840 
1841                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1842                                                 d->mscex == RFCOMM_MSCEX_OK)
1843                         rfcomm_process_tx(d);
1844         }
1845 }
1846 
1847 static void rfcomm_process_rx(struct rfcomm_session *s)
1848 {
1849         struct socket *sock = s->sock;
1850         struct sock *sk = sock->sk;
1851         struct sk_buff *skb;
1852 
1853         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1854 
1855         /* Get data directly from socket receive queue without copying it. */
1856         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1857                 skb_orphan(skb);
1858                 if (!skb_linearize(skb))
1859                         rfcomm_recv_frame(s, skb);
1860                 else
1861                         kfree_skb(skb);
1862         }
1863 
1864         if (sk->sk_state == BT_CLOSED) {
1865                 if (!s->initiator)
1866                         rfcomm_session_put(s);
1867 
1868                 rfcomm_session_close(s, sk->sk_err);
1869         }
1870 }
1871 
1872 static void rfcomm_accept_connection(struct rfcomm_session *s)
1873 {
1874         struct socket *sock = s->sock, *nsock;
1875         int err;
1876 
1877         /* Fast check for a new connection.
1878          * Avoids unnesesary socket allocations. */
1879         if (list_empty(&bt_sk(sock->sk)->accept_q))
1880                 return;
1881 
1882         BT_DBG("session %p", s);
1883 
1884         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1885         if (err < 0)
1886                 return;
1887 
1888         /* Set our callbacks */
1889         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1890         nsock->sk->sk_state_change = rfcomm_l2state_change;
1891 
1892         s = rfcomm_session_add(nsock, BT_OPEN);
1893         if (s) {
1894                 rfcomm_session_hold(s);
1895 
1896                 /* We should adjust MTU on incoming sessions.
1897                  * L2CAP MTU minus UIH header and FCS. */
1898                 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1899                                 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1900 
1901                 rfcomm_schedule();
1902         } else
1903                 sock_release(nsock);
1904 }
1905 
1906 static void rfcomm_check_connection(struct rfcomm_session *s)
1907 {
1908         struct sock *sk = s->sock->sk;
1909 
1910         BT_DBG("%p state %ld", s, s->state);
1911 
1912         switch (sk->sk_state) {
1913         case BT_CONNECTED:
1914                 s->state = BT_CONNECT;
1915 
1916                 /* We can adjust MTU on outgoing sessions.
1917                  * L2CAP MTU minus UIH header and FCS. */
1918                 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1919 
1920                 rfcomm_send_sabm(s, 0);
1921                 break;
1922 
1923         case BT_CLOSED:
1924                 s->state = BT_CLOSED;
1925                 rfcomm_session_close(s, sk->sk_err);
1926                 break;
1927         }
1928 }
1929 
1930 static void rfcomm_process_sessions(void)
1931 {
1932         struct list_head *p, *n;
1933 
1934         rfcomm_lock();
1935 
1936         list_for_each_safe(p, n, &session_list) {
1937                 struct rfcomm_session *s;
1938                 s = list_entry(p, struct rfcomm_session, list);
1939 
1940                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1941                         s->state = BT_DISCONN;
1942                         rfcomm_send_disc(s, 0);
1943                         rfcomm_session_put(s);
1944                         continue;
1945                 }
1946 
1947                 if (s->state == BT_LISTEN) {
1948                         rfcomm_accept_connection(s);
1949                         continue;
1950                 }
1951 
1952                 rfcomm_session_hold(s);
1953 
1954                 switch (s->state) {
1955                 case BT_BOUND:
1956                         rfcomm_check_connection(s);
1957                         break;
1958 
1959                 default:
1960                         rfcomm_process_rx(s);
1961                         break;
1962                 }
1963 
1964                 rfcomm_process_dlcs(s);
1965 
1966                 rfcomm_session_put(s);
1967         }
1968 
1969         rfcomm_unlock();
1970 }
1971 
1972 static int rfcomm_add_listener(bdaddr_t *ba)
1973 {
1974         struct sockaddr_l2 addr;
1975         struct socket *sock;
1976         struct sock *sk;
1977         struct rfcomm_session *s;
1978         int    err = 0;
1979 
1980         /* Create socket */
1981         err = rfcomm_l2sock_create(&sock);
1982         if (err < 0) {
1983                 BT_ERR("Create socket failed %d", err);
1984                 return err;
1985         }
1986 
1987         /* Bind socket */
1988         bacpy(&addr.l2_bdaddr, ba);
1989         addr.l2_family = AF_BLUETOOTH;
1990         addr.l2_psm    = __constant_cpu_to_le16(RFCOMM_PSM);
1991         addr.l2_cid    = 0;
1992         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1993         if (err < 0) {
1994                 BT_ERR("Bind failed %d", err);
1995                 goto failed;
1996         }
1997 
1998         /* Set L2CAP options */
1999         sk = sock->sk;
2000         lock_sock(sk);
2001         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2002         release_sock(sk);
2003 
2004         /* Start listening on the socket */
2005         err = kernel_listen(sock, 10);
2006         if (err) {
2007                 BT_ERR("Listen failed %d", err);
2008                 goto failed;
2009         }
2010 
2011         /* Add listening session */
2012         s = rfcomm_session_add(sock, BT_LISTEN);
2013         if (!s)
2014                 goto failed;
2015 
2016         rfcomm_session_hold(s);
2017         return 0;
2018 failed:
2019         sock_release(sock);
2020         return err;
2021 }
2022 
2023 static void rfcomm_kill_listener(void)
2024 {
2025         struct rfcomm_session *s;
2026         struct list_head *p, *n;
2027 
2028         BT_DBG("");
2029 
2030         list_for_each_safe(p, n, &session_list) {
2031                 s = list_entry(p, struct rfcomm_session, list);
2032                 rfcomm_session_del(s);
2033         }
2034 }
2035 
2036 static int rfcomm_run(void *unused)
2037 {
2038         BT_DBG("");
2039 
2040         set_user_nice(current, -10);
2041 
2042         rfcomm_add_listener(BDADDR_ANY);
2043 
2044         while (1) {
2045                 set_current_state(TASK_INTERRUPTIBLE);
2046 
2047                 if (kthread_should_stop())
2048                         break;
2049 
2050                 /* Process stuff */
2051                 rfcomm_process_sessions();
2052 
2053                 schedule();
2054         }
2055         __set_current_state(TASK_RUNNING);
2056 
2057         rfcomm_kill_listener();
2058 
2059         return 0;
2060 }
2061 
2062 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2063 {
2064         struct rfcomm_session *s;
2065         struct rfcomm_dlc *d;
2066         struct list_head *p, *n;
2067 
2068         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2069 
2070         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2071         if (!s)
2072                 return;
2073 
2074         rfcomm_session_hold(s);
2075 
2076         list_for_each_safe(p, n, &s->dlcs) {
2077                 d = list_entry(p, struct rfcomm_dlc, list);
2078 
2079                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2080                         rfcomm_dlc_clear_timer(d);
2081                         if (status || encrypt == 0x00) {
2082                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2083                                 continue;
2084                         }
2085                 }
2086 
2087                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2088                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2089                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2090                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2091                                 continue;
2092                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2093                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2094                                 continue;
2095                         }
2096                 }
2097 
2098                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2099                         continue;
2100 
2101                 if (!status && hci_conn_check_secure(conn, d->sec_level))
2102                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2103                 else
2104                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2105         }
2106 
2107         rfcomm_session_put(s);
2108 
2109         rfcomm_schedule();
2110 }
2111 
2112 static struct hci_cb rfcomm_cb = {
2113         .name           = "RFCOMM",
2114         .security_cfm   = rfcomm_security_cfm
2115 };
2116 
2117 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2118 {
2119         struct rfcomm_session *s;
2120 
2121         rfcomm_lock();
2122 
2123         list_for_each_entry(s, &session_list, list) {
2124                 struct rfcomm_dlc *d;
2125                 list_for_each_entry(d, &s->dlcs, list) {
2126                         struct sock *sk = s->sock->sk;
2127 
2128                         seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2129                                    &bt_sk(sk)->src, &bt_sk(sk)->dst,
2130                                    d->state, d->dlci, d->mtu,
2131                                    d->rx_credits, d->tx_credits);
2132                 }
2133         }
2134 
2135         rfcomm_unlock();
2136 
2137         return 0;
2138 }
2139 
2140 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2141 {
2142         return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2143 }
2144 
2145 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2146         .open           = rfcomm_dlc_debugfs_open,
2147         .read           = seq_read,
2148         .llseek         = seq_lseek,
2149         .release        = single_release,
2150 };
2151 
2152 static struct dentry *rfcomm_dlc_debugfs;
2153 
2154 /* ---- Initialization ---- */
2155 static int __init rfcomm_init(void)
2156 {
2157         int err;
2158 
2159         hci_register_cb(&rfcomm_cb);
2160 
2161         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2162         if (IS_ERR(rfcomm_thread)) {
2163                 err = PTR_ERR(rfcomm_thread);
2164                 goto unregister;
2165         }
2166 
2167         if (bt_debugfs) {
2168                 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2169                                 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2170                 if (!rfcomm_dlc_debugfs)
2171                         BT_ERR("Failed to create RFCOMM debug file");
2172         }
2173 
2174         err = rfcomm_init_ttys();
2175         if (err < 0)
2176                 goto stop;
2177 
2178         err = rfcomm_init_sockets();
2179         if (err < 0)
2180                 goto cleanup;
2181 
2182         BT_INFO("RFCOMM ver %s", VERSION);
2183 
2184         return 0;
2185 
2186 cleanup:
2187         rfcomm_cleanup_ttys();
2188 
2189 stop:
2190         kthread_stop(rfcomm_thread);
2191 
2192 unregister:
2193         hci_unregister_cb(&rfcomm_cb);
2194 
2195         return err;
2196 }
2197 
2198 static void __exit rfcomm_exit(void)
2199 {
2200         debugfs_remove(rfcomm_dlc_debugfs);
2201 
2202         hci_unregister_cb(&rfcomm_cb);
2203 
2204         kthread_stop(rfcomm_thread);
2205 
2206         rfcomm_cleanup_ttys();
2207 
2208         rfcomm_cleanup_sockets();
2209 }
2210 
2211 module_init(rfcomm_init);
2212 module_exit(rfcomm_exit);
2213 
2214 module_param(disable_cfc, bool, 0644);
2215 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2216 
2217 module_param(channel_mtu, int, 0644);
2218 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2219 
2220 module_param(l2cap_mtu, uint, 0644);
2221 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2222 
2223 module_param(l2cap_ertm, bool, 0644);
2224 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2225 
2226 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2227 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2228 MODULE_VERSION(VERSION);
2229 MODULE_LICENSE("GPL");
2230 MODULE_ALIAS("bt-proto-3");
2231 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp