Version:  2.0.40 2.2.26 2.4.37 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8

Linux/net/bluetooth/rfcomm/core.c

  1 /*
  2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
  3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
  4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
  5 
  6    This program is free software; you can redistribute it and/or modify
  7    it under the terms of the GNU General Public License version 2 as
  8    published by the Free Software Foundation;
  9 
 10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
 13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
 14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
 15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 18 
 19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
 20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
 21    SOFTWARE IS DISCLAIMED.
 22 */
 23 
 24 /*
 25  * Bluetooth RFCOMM core.
 26  */
 27 
 28 #include <linux/module.h>
 29 #include <linux/debugfs.h>
 30 #include <linux/kthread.h>
 31 #include <asm/unaligned.h>
 32 
 33 #include <net/bluetooth/bluetooth.h>
 34 #include <net/bluetooth/hci_core.h>
 35 #include <net/bluetooth/l2cap.h>
 36 #include <net/bluetooth/rfcomm.h>
 37 
 38 #define VERSION "1.11"
 39 
 40 static bool disable_cfc;
 41 static bool l2cap_ertm;
 42 static int channel_mtu = -1;
 43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
 44 
 45 static struct task_struct *rfcomm_thread;
 46 
 47 static DEFINE_MUTEX(rfcomm_mutex);
 48 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
 49 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
 50 
 51 
 52 static LIST_HEAD(session_list);
 53 
 54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
 55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
 56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
 57 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
 58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
 59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
 60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
 61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
 62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
 63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
 64 
 65 static void rfcomm_process_connect(struct rfcomm_session *s);
 66 
 67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
 68                                                         bdaddr_t *dst,
 69                                                         u8 sec_level,
 70                                                         int *err);
 71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
 72 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
 73 
 74 /* ---- RFCOMM frame parsing macros ---- */
 75 #define __get_dlci(b)     ((b & 0xfc) >> 2)
 76 #define __get_channel(b)  ((b & 0xf8) >> 3)
 77 #define __get_dir(b)      ((b & 0x04) >> 2)
 78 #define __get_type(b)     ((b & 0xef))
 79 
 80 #define __test_ea(b)      ((b & 0x01))
 81 #define __test_cr(b)      (!!(b & 0x02))
 82 #define __test_pf(b)      (!!(b & 0x10))
 83 
 84 #define __session_dir(s)  ((s)->initiator ? 0x00 : 0x01)
 85 
 86 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
 87 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
 88 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
 89 #define __srv_channel(dlci)    (dlci >> 1)
 90 #define __dir(dlci)            (dlci & 0x01)
 91 
 92 #define __len8(len)       (((len) << 1) | 1)
 93 #define __len16(len)      ((len) << 1)
 94 
 95 /* MCC macros */
 96 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
 97 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
 98 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
 99 
100 /* RPN macros */
101 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
102 #define __get_rpn_data_bits(line) ((line) & 0x3)
103 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
104 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
105 
106 static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq);
107 
108 static void rfcomm_schedule(void)
109 {
110         wake_up_all(&rfcomm_wq);
111 }
112 
113 /* ---- RFCOMM FCS computation ---- */
114 
115 /* reversed, 8-bit, poly=0x07 */
116 static unsigned char rfcomm_crc_table[256] = {
117         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
118         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
119         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
120         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
121 
122         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
123         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
124         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
125         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
126 
127         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
128         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
129         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
130         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
131 
132         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
133         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
134         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
135         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
136 
137         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
138         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
139         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
140         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
141 
142         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
143         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
144         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
145         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
146 
147         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
148         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
149         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
150         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
151 
152         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
153         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
154         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
155         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
156 };
157 
158 /* CRC on 2 bytes */
159 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
160 
161 /* FCS on 2 bytes */
162 static inline u8 __fcs(u8 *data)
163 {
164         return 0xff - __crc(data);
165 }
166 
167 /* FCS on 3 bytes */
168 static inline u8 __fcs2(u8 *data)
169 {
170         return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
171 }
172 
173 /* Check FCS */
174 static inline int __check_fcs(u8 *data, int type, u8 fcs)
175 {
176         u8 f = __crc(data);
177 
178         if (type != RFCOMM_UIH)
179                 f = rfcomm_crc_table[f ^ data[2]];
180 
181         return rfcomm_crc_table[f ^ fcs] != 0xcf;
182 }
183 
184 /* ---- L2CAP callbacks ---- */
185 static void rfcomm_l2state_change(struct sock *sk)
186 {
187         BT_DBG("%p state %d", sk, sk->sk_state);
188         rfcomm_schedule();
189 }
190 
191 static void rfcomm_l2data_ready(struct sock *sk)
192 {
193         BT_DBG("%p", sk);
194         rfcomm_schedule();
195 }
196 
197 static int rfcomm_l2sock_create(struct socket **sock)
198 {
199         int err;
200 
201         BT_DBG("");
202 
203         err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
204         if (!err) {
205                 struct sock *sk = (*sock)->sk;
206                 sk->sk_data_ready   = rfcomm_l2data_ready;
207                 sk->sk_state_change = rfcomm_l2state_change;
208         }
209         return err;
210 }
211 
212 static int rfcomm_check_security(struct rfcomm_dlc *d)
213 {
214         struct sock *sk = d->session->sock->sk;
215         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
216 
217         __u8 auth_type;
218 
219         switch (d->sec_level) {
220         case BT_SECURITY_HIGH:
221         case BT_SECURITY_FIPS:
222                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
223                 break;
224         case BT_SECURITY_MEDIUM:
225                 auth_type = HCI_AT_GENERAL_BONDING;
226                 break;
227         default:
228                 auth_type = HCI_AT_NO_BONDING;
229                 break;
230         }
231 
232         return hci_conn_security(conn->hcon, d->sec_level, auth_type,
233                                  d->out);
234 }
235 
236 static void rfcomm_session_timeout(unsigned long arg)
237 {
238         struct rfcomm_session *s = (void *) arg;
239 
240         BT_DBG("session %p state %ld", s, s->state);
241 
242         set_bit(RFCOMM_TIMED_OUT, &s->flags);
243         rfcomm_schedule();
244 }
245 
246 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
247 {
248         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
249 
250         mod_timer(&s->timer, jiffies + timeout);
251 }
252 
253 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
254 {
255         BT_DBG("session %p state %ld", s, s->state);
256 
257         del_timer_sync(&s->timer);
258 }
259 
260 /* ---- RFCOMM DLCs ---- */
261 static void rfcomm_dlc_timeout(unsigned long arg)
262 {
263         struct rfcomm_dlc *d = (void *) arg;
264 
265         BT_DBG("dlc %p state %ld", d, d->state);
266 
267         set_bit(RFCOMM_TIMED_OUT, &d->flags);
268         rfcomm_dlc_put(d);
269         rfcomm_schedule();
270 }
271 
272 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
273 {
274         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
275 
276         if (!mod_timer(&d->timer, jiffies + timeout))
277                 rfcomm_dlc_hold(d);
278 }
279 
280 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
281 {
282         BT_DBG("dlc %p state %ld", d, d->state);
283 
284         if (del_timer(&d->timer))
285                 rfcomm_dlc_put(d);
286 }
287 
288 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
289 {
290         BT_DBG("%p", d);
291 
292         d->state      = BT_OPEN;
293         d->flags      = 0;
294         d->mscex      = 0;
295         d->sec_level  = BT_SECURITY_LOW;
296         d->mtu        = RFCOMM_DEFAULT_MTU;
297         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
298 
299         d->cfc        = RFCOMM_CFC_DISABLED;
300         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
301 }
302 
303 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
304 {
305         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
306 
307         if (!d)
308                 return NULL;
309 
310         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
311 
312         skb_queue_head_init(&d->tx_queue);
313         mutex_init(&d->lock);
314         atomic_set(&d->refcnt, 1);
315 
316         rfcomm_dlc_clear_state(d);
317 
318         BT_DBG("%p", d);
319 
320         return d;
321 }
322 
323 void rfcomm_dlc_free(struct rfcomm_dlc *d)
324 {
325         BT_DBG("%p", d);
326 
327         skb_queue_purge(&d->tx_queue);
328         kfree(d);
329 }
330 
331 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
332 {
333         BT_DBG("dlc %p session %p", d, s);
334 
335         rfcomm_session_clear_timer(s);
336         rfcomm_dlc_hold(d);
337         list_add(&d->list, &s->dlcs);
338         d->session = s;
339 }
340 
341 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
342 {
343         struct rfcomm_session *s = d->session;
344 
345         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
346 
347         list_del(&d->list);
348         d->session = NULL;
349         rfcomm_dlc_put(d);
350 
351         if (list_empty(&s->dlcs))
352                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
353 }
354 
355 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
356 {
357         struct rfcomm_dlc *d;
358 
359         list_for_each_entry(d, &s->dlcs, list)
360                 if (d->dlci == dlci)
361                         return d;
362 
363         return NULL;
364 }
365 
366 static int rfcomm_check_channel(u8 channel)
367 {
368         return channel < 1 || channel > 30;
369 }
370 
371 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
372 {
373         struct rfcomm_session *s;
374         int err = 0;
375         u8 dlci;
376 
377         BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
378                d, d->state, src, dst, channel);
379 
380         if (rfcomm_check_channel(channel))
381                 return -EINVAL;
382 
383         if (d->state != BT_OPEN && d->state != BT_CLOSED)
384                 return 0;
385 
386         s = rfcomm_session_get(src, dst);
387         if (!s) {
388                 s = rfcomm_session_create(src, dst, d->sec_level, &err);
389                 if (!s)
390                         return err;
391         }
392 
393         dlci = __dlci(__session_dir(s), channel);
394 
395         /* Check if DLCI already exists */
396         if (rfcomm_dlc_get(s, dlci))
397                 return -EBUSY;
398 
399         rfcomm_dlc_clear_state(d);
400 
401         d->dlci     = dlci;
402         d->addr     = __addr(s->initiator, dlci);
403         d->priority = 7;
404 
405         d->state = BT_CONFIG;
406         rfcomm_dlc_link(s, d);
407 
408         d->out = 1;
409 
410         d->mtu = s->mtu;
411         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
412 
413         if (s->state == BT_CONNECTED) {
414                 if (rfcomm_check_security(d))
415                         rfcomm_send_pn(s, 1, d);
416                 else
417                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
418         }
419 
420         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
421 
422         return 0;
423 }
424 
425 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
426 {
427         int r;
428 
429         rfcomm_lock();
430 
431         r = __rfcomm_dlc_open(d, src, dst, channel);
432 
433         rfcomm_unlock();
434         return r;
435 }
436 
437 static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d)
438 {
439         struct rfcomm_session *s = d->session;
440 
441         d->state = BT_DISCONN;
442         if (skb_queue_empty(&d->tx_queue)) {
443                 rfcomm_send_disc(s, d->dlci);
444                 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
445         } else {
446                 rfcomm_queue_disc(d);
447                 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
448         }
449 }
450 
451 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
452 {
453         struct rfcomm_session *s = d->session;
454         if (!s)
455                 return 0;
456 
457         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
458                         d, d->state, d->dlci, err, s);
459 
460         switch (d->state) {
461         case BT_CONNECT:
462         case BT_CONFIG:
463         case BT_OPEN:
464         case BT_CONNECT2:
465                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
466                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
467                         rfcomm_schedule();
468                         return 0;
469                 }
470         }
471 
472         switch (d->state) {
473         case BT_CONNECT:
474         case BT_CONNECTED:
475                 __rfcomm_dlc_disconn(d);
476                 break;
477 
478         case BT_CONFIG:
479                 if (s->state != BT_BOUND) {
480                         __rfcomm_dlc_disconn(d);
481                         break;
482                 }
483                 /* if closing a dlc in a session that hasn't been started,
484                  * just close and unlink the dlc
485                  */
486 
487         default:
488                 rfcomm_dlc_clear_timer(d);
489 
490                 rfcomm_dlc_lock(d);
491                 d->state = BT_CLOSED;
492                 d->state_change(d, err);
493                 rfcomm_dlc_unlock(d);
494 
495                 skb_queue_purge(&d->tx_queue);
496                 rfcomm_dlc_unlink(d);
497         }
498 
499         return 0;
500 }
501 
502 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
503 {
504         int r = 0;
505         struct rfcomm_dlc *d_list;
506         struct rfcomm_session *s, *s_list;
507 
508         BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
509 
510         rfcomm_lock();
511 
512         s = d->session;
513         if (!s)
514                 goto no_session;
515 
516         /* after waiting on the mutex check the session still exists
517          * then check the dlc still exists
518          */
519         list_for_each_entry(s_list, &session_list, list) {
520                 if (s_list == s) {
521                         list_for_each_entry(d_list, &s->dlcs, list) {
522                                 if (d_list == d) {
523                                         r = __rfcomm_dlc_close(d, err);
524                                         break;
525                                 }
526                         }
527                         break;
528                 }
529         }
530 
531 no_session:
532         rfcomm_unlock();
533         return r;
534 }
535 
536 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
537 {
538         struct rfcomm_session *s;
539         struct rfcomm_dlc *dlc = NULL;
540         u8 dlci;
541 
542         if (rfcomm_check_channel(channel))
543                 return ERR_PTR(-EINVAL);
544 
545         rfcomm_lock();
546         s = rfcomm_session_get(src, dst);
547         if (s) {
548                 dlci = __dlci(__session_dir(s), channel);
549                 dlc = rfcomm_dlc_get(s, dlci);
550         }
551         rfcomm_unlock();
552         return dlc;
553 }
554 
555 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
556 {
557         int len = skb->len;
558 
559         if (d->state != BT_CONNECTED)
560                 return -ENOTCONN;
561 
562         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
563 
564         if (len > d->mtu)
565                 return -EINVAL;
566 
567         rfcomm_make_uih(skb, d->addr);
568         skb_queue_tail(&d->tx_queue, skb);
569 
570         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
571                 rfcomm_schedule();
572         return len;
573 }
574 
575 void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb)
576 {
577         int len = skb->len;
578 
579         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
580 
581         rfcomm_make_uih(skb, d->addr);
582         skb_queue_tail(&d->tx_queue, skb);
583 
584         if (d->state == BT_CONNECTED &&
585             !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
586                 rfcomm_schedule();
587 }
588 
589 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
590 {
591         BT_DBG("dlc %p state %ld", d, d->state);
592 
593         if (!d->cfc) {
594                 d->v24_sig |= RFCOMM_V24_FC;
595                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
596         }
597         rfcomm_schedule();
598 }
599 
600 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
601 {
602         BT_DBG("dlc %p state %ld", d, d->state);
603 
604         if (!d->cfc) {
605                 d->v24_sig &= ~RFCOMM_V24_FC;
606                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
607         }
608         rfcomm_schedule();
609 }
610 
611 /*
612    Set/get modem status functions use _local_ status i.e. what we report
613    to the other side.
614    Remote status is provided by dlc->modem_status() callback.
615  */
616 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
617 {
618         BT_DBG("dlc %p state %ld v24_sig 0x%x",
619                         d, d->state, v24_sig);
620 
621         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
622                 v24_sig |= RFCOMM_V24_FC;
623         else
624                 v24_sig &= ~RFCOMM_V24_FC;
625 
626         d->v24_sig = v24_sig;
627 
628         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
629                 rfcomm_schedule();
630 
631         return 0;
632 }
633 
634 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
635 {
636         BT_DBG("dlc %p state %ld v24_sig 0x%x",
637                         d, d->state, d->v24_sig);
638 
639         *v24_sig = d->v24_sig;
640         return 0;
641 }
642 
643 /* ---- RFCOMM sessions ---- */
644 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
645 {
646         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
647 
648         if (!s)
649                 return NULL;
650 
651         BT_DBG("session %p sock %p", s, sock);
652 
653         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
654 
655         INIT_LIST_HEAD(&s->dlcs);
656         s->state = state;
657         s->sock  = sock;
658 
659         s->mtu = RFCOMM_DEFAULT_MTU;
660         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
661 
662         /* Do not increment module usage count for listening sessions.
663          * Otherwise we won't be able to unload the module. */
664         if (state != BT_LISTEN)
665                 if (!try_module_get(THIS_MODULE)) {
666                         kfree(s);
667                         return NULL;
668                 }
669 
670         list_add(&s->list, &session_list);
671 
672         return s;
673 }
674 
675 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
676 {
677         int state = s->state;
678 
679         BT_DBG("session %p state %ld", s, s->state);
680 
681         list_del(&s->list);
682 
683         rfcomm_session_clear_timer(s);
684         sock_release(s->sock);
685         kfree(s);
686 
687         if (state != BT_LISTEN)
688                 module_put(THIS_MODULE);
689 
690         return NULL;
691 }
692 
693 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
694 {
695         struct rfcomm_session *s, *n;
696         struct l2cap_chan *chan;
697         list_for_each_entry_safe(s, n, &session_list, list) {
698                 chan = l2cap_pi(s->sock->sk)->chan;
699 
700                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) &&
701                     !bacmp(&chan->dst, dst))
702                         return s;
703         }
704         return NULL;
705 }
706 
707 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
708                                                    int err)
709 {
710         struct rfcomm_dlc *d, *n;
711 
712         s->state = BT_CLOSED;
713 
714         BT_DBG("session %p state %ld err %d", s, s->state, err);
715 
716         /* Close all dlcs */
717         list_for_each_entry_safe(d, n, &s->dlcs, list) {
718                 d->state = BT_CLOSED;
719                 __rfcomm_dlc_close(d, err);
720         }
721 
722         rfcomm_session_clear_timer(s);
723         return rfcomm_session_del(s);
724 }
725 
726 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
727                                                         bdaddr_t *dst,
728                                                         u8 sec_level,
729                                                         int *err)
730 {
731         struct rfcomm_session *s = NULL;
732         struct sockaddr_l2 addr;
733         struct socket *sock;
734         struct sock *sk;
735 
736         BT_DBG("%pMR -> %pMR", src, dst);
737 
738         *err = rfcomm_l2sock_create(&sock);
739         if (*err < 0)
740                 return NULL;
741 
742         bacpy(&addr.l2_bdaddr, src);
743         addr.l2_family = AF_BLUETOOTH;
744         addr.l2_psm    = 0;
745         addr.l2_cid    = 0;
746         addr.l2_bdaddr_type = BDADDR_BREDR;
747         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
748         if (*err < 0)
749                 goto failed;
750 
751         /* Set L2CAP options */
752         sk = sock->sk;
753         lock_sock(sk);
754         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
755         l2cap_pi(sk)->chan->sec_level = sec_level;
756         if (l2cap_ertm)
757                 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
758         release_sock(sk);
759 
760         s = rfcomm_session_add(sock, BT_BOUND);
761         if (!s) {
762                 *err = -ENOMEM;
763                 goto failed;
764         }
765 
766         s->initiator = 1;
767 
768         bacpy(&addr.l2_bdaddr, dst);
769         addr.l2_family = AF_BLUETOOTH;
770         addr.l2_psm    = cpu_to_le16(L2CAP_PSM_RFCOMM);
771         addr.l2_cid    = 0;
772         addr.l2_bdaddr_type = BDADDR_BREDR;
773         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
774         if (*err == 0 || *err == -EINPROGRESS)
775                 return s;
776 
777         return rfcomm_session_del(s);
778 
779 failed:
780         sock_release(sock);
781         return NULL;
782 }
783 
784 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
785 {
786         struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
787         if (src)
788                 bacpy(src, &chan->src);
789         if (dst)
790                 bacpy(dst, &chan->dst);
791 }
792 
793 /* ---- RFCOMM frame sending ---- */
794 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
795 {
796         struct kvec iv = { data, len };
797         struct msghdr msg;
798 
799         BT_DBG("session %p len %d", s, len);
800 
801         memset(&msg, 0, sizeof(msg));
802 
803         return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
804 }
805 
806 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
807 {
808         BT_DBG("%p cmd %u", s, cmd->ctrl);
809 
810         return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
811 }
812 
813 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
814 {
815         struct rfcomm_cmd cmd;
816 
817         BT_DBG("%p dlci %d", s, dlci);
818 
819         cmd.addr = __addr(s->initiator, dlci);
820         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
821         cmd.len  = __len8(0);
822         cmd.fcs  = __fcs2((u8 *) &cmd);
823 
824         return rfcomm_send_cmd(s, &cmd);
825 }
826 
827 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
828 {
829         struct rfcomm_cmd cmd;
830 
831         BT_DBG("%p dlci %d", s, dlci);
832 
833         cmd.addr = __addr(!s->initiator, dlci);
834         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
835         cmd.len  = __len8(0);
836         cmd.fcs  = __fcs2((u8 *) &cmd);
837 
838         return rfcomm_send_cmd(s, &cmd);
839 }
840 
841 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
842 {
843         struct rfcomm_cmd cmd;
844 
845         BT_DBG("%p dlci %d", s, dlci);
846 
847         cmd.addr = __addr(s->initiator, dlci);
848         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
849         cmd.len  = __len8(0);
850         cmd.fcs  = __fcs2((u8 *) &cmd);
851 
852         return rfcomm_send_cmd(s, &cmd);
853 }
854 
855 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
856 {
857         struct rfcomm_cmd *cmd;
858         struct sk_buff *skb;
859 
860         BT_DBG("dlc %p dlci %d", d, d->dlci);
861 
862         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
863         if (!skb)
864                 return -ENOMEM;
865 
866         cmd = (void *) __skb_put(skb, sizeof(*cmd));
867         cmd->addr = d->addr;
868         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
869         cmd->len  = __len8(0);
870         cmd->fcs  = __fcs2((u8 *) cmd);
871 
872         skb_queue_tail(&d->tx_queue, skb);
873         rfcomm_schedule();
874         return 0;
875 }
876 
877 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
878 {
879         struct rfcomm_cmd cmd;
880 
881         BT_DBG("%p dlci %d", s, dlci);
882 
883         cmd.addr = __addr(!s->initiator, dlci);
884         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
885         cmd.len  = __len8(0);
886         cmd.fcs  = __fcs2((u8 *) &cmd);
887 
888         return rfcomm_send_cmd(s, &cmd);
889 }
890 
891 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
892 {
893         struct rfcomm_hdr *hdr;
894         struct rfcomm_mcc *mcc;
895         u8 buf[16], *ptr = buf;
896 
897         BT_DBG("%p cr %d type %d", s, cr, type);
898 
899         hdr = (void *) ptr; ptr += sizeof(*hdr);
900         hdr->addr = __addr(s->initiator, 0);
901         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
902         hdr->len  = __len8(sizeof(*mcc) + 1);
903 
904         mcc = (void *) ptr; ptr += sizeof(*mcc);
905         mcc->type = __mcc_type(0, RFCOMM_NSC);
906         mcc->len  = __len8(1);
907 
908         /* Type that we didn't like */
909         *ptr = __mcc_type(cr, type); ptr++;
910 
911         *ptr = __fcs(buf); ptr++;
912 
913         return rfcomm_send_frame(s, buf, ptr - buf);
914 }
915 
916 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
917 {
918         struct rfcomm_hdr *hdr;
919         struct rfcomm_mcc *mcc;
920         struct rfcomm_pn  *pn;
921         u8 buf[16], *ptr = buf;
922 
923         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
924 
925         hdr = (void *) ptr; ptr += sizeof(*hdr);
926         hdr->addr = __addr(s->initiator, 0);
927         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
928         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
929 
930         mcc = (void *) ptr; ptr += sizeof(*mcc);
931         mcc->type = __mcc_type(cr, RFCOMM_PN);
932         mcc->len  = __len8(sizeof(*pn));
933 
934         pn = (void *) ptr; ptr += sizeof(*pn);
935         pn->dlci        = d->dlci;
936         pn->priority    = d->priority;
937         pn->ack_timer   = 0;
938         pn->max_retrans = 0;
939 
940         if (s->cfc) {
941                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
942                 pn->credits = RFCOMM_DEFAULT_CREDITS;
943         } else {
944                 pn->flow_ctrl = 0;
945                 pn->credits   = 0;
946         }
947 
948         if (cr && channel_mtu >= 0)
949                 pn->mtu = cpu_to_le16(channel_mtu);
950         else
951                 pn->mtu = cpu_to_le16(d->mtu);
952 
953         *ptr = __fcs(buf); ptr++;
954 
955         return rfcomm_send_frame(s, buf, ptr - buf);
956 }
957 
958 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
959                         u8 bit_rate, u8 data_bits, u8 stop_bits,
960                         u8 parity, u8 flow_ctrl_settings,
961                         u8 xon_char, u8 xoff_char, u16 param_mask)
962 {
963         struct rfcomm_hdr *hdr;
964         struct rfcomm_mcc *mcc;
965         struct rfcomm_rpn *rpn;
966         u8 buf[16], *ptr = buf;
967 
968         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
969                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
970                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
971                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
972 
973         hdr = (void *) ptr; ptr += sizeof(*hdr);
974         hdr->addr = __addr(s->initiator, 0);
975         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
976         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
977 
978         mcc = (void *) ptr; ptr += sizeof(*mcc);
979         mcc->type = __mcc_type(cr, RFCOMM_RPN);
980         mcc->len  = __len8(sizeof(*rpn));
981 
982         rpn = (void *) ptr; ptr += sizeof(*rpn);
983         rpn->dlci          = __addr(1, dlci);
984         rpn->bit_rate      = bit_rate;
985         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
986         rpn->flow_ctrl     = flow_ctrl_settings;
987         rpn->xon_char      = xon_char;
988         rpn->xoff_char     = xoff_char;
989         rpn->param_mask    = cpu_to_le16(param_mask);
990 
991         *ptr = __fcs(buf); ptr++;
992 
993         return rfcomm_send_frame(s, buf, ptr - buf);
994 }
995 
996 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
997 {
998         struct rfcomm_hdr *hdr;
999         struct rfcomm_mcc *mcc;
1000         struct rfcomm_rls *rls;
1001         u8 buf[16], *ptr = buf;
1002 
1003         BT_DBG("%p cr %d status 0x%x", s, cr, status);
1004 
1005         hdr = (void *) ptr; ptr += sizeof(*hdr);
1006         hdr->addr = __addr(s->initiator, 0);
1007         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1008         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
1009 
1010         mcc = (void *) ptr; ptr += sizeof(*mcc);
1011         mcc->type = __mcc_type(cr, RFCOMM_RLS);
1012         mcc->len  = __len8(sizeof(*rls));
1013 
1014         rls = (void *) ptr; ptr += sizeof(*rls);
1015         rls->dlci   = __addr(1, dlci);
1016         rls->status = status;
1017 
1018         *ptr = __fcs(buf); ptr++;
1019 
1020         return rfcomm_send_frame(s, buf, ptr - buf);
1021 }
1022 
1023 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
1024 {
1025         struct rfcomm_hdr *hdr;
1026         struct rfcomm_mcc *mcc;
1027         struct rfcomm_msc *msc;
1028         u8 buf[16], *ptr = buf;
1029 
1030         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
1031 
1032         hdr = (void *) ptr; ptr += sizeof(*hdr);
1033         hdr->addr = __addr(s->initiator, 0);
1034         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1035         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
1036 
1037         mcc = (void *) ptr; ptr += sizeof(*mcc);
1038         mcc->type = __mcc_type(cr, RFCOMM_MSC);
1039         mcc->len  = __len8(sizeof(*msc));
1040 
1041         msc = (void *) ptr; ptr += sizeof(*msc);
1042         msc->dlci    = __addr(1, dlci);
1043         msc->v24_sig = v24_sig | 0x01;
1044 
1045         *ptr = __fcs(buf); ptr++;
1046 
1047         return rfcomm_send_frame(s, buf, ptr - buf);
1048 }
1049 
1050 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1051 {
1052         struct rfcomm_hdr *hdr;
1053         struct rfcomm_mcc *mcc;
1054         u8 buf[16], *ptr = buf;
1055 
1056         BT_DBG("%p cr %d", s, cr);
1057 
1058         hdr = (void *) ptr; ptr += sizeof(*hdr);
1059         hdr->addr = __addr(s->initiator, 0);
1060         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1061         hdr->len  = __len8(sizeof(*mcc));
1062 
1063         mcc = (void *) ptr; ptr += sizeof(*mcc);
1064         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1065         mcc->len  = __len8(0);
1066 
1067         *ptr = __fcs(buf); ptr++;
1068 
1069         return rfcomm_send_frame(s, buf, ptr - buf);
1070 }
1071 
1072 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1073 {
1074         struct rfcomm_hdr *hdr;
1075         struct rfcomm_mcc *mcc;
1076         u8 buf[16], *ptr = buf;
1077 
1078         BT_DBG("%p cr %d", s, cr);
1079 
1080         hdr = (void *) ptr; ptr += sizeof(*hdr);
1081         hdr->addr = __addr(s->initiator, 0);
1082         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1083         hdr->len  = __len8(sizeof(*mcc));
1084 
1085         mcc = (void *) ptr; ptr += sizeof(*mcc);
1086         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1087         mcc->len  = __len8(0);
1088 
1089         *ptr = __fcs(buf); ptr++;
1090 
1091         return rfcomm_send_frame(s, buf, ptr - buf);
1092 }
1093 
1094 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1095 {
1096         struct socket *sock = s->sock;
1097         struct kvec iv[3];
1098         struct msghdr msg;
1099         unsigned char hdr[5], crc[1];
1100 
1101         if (len > 125)
1102                 return -EINVAL;
1103 
1104         BT_DBG("%p cr %d", s, cr);
1105 
1106         hdr[0] = __addr(s->initiator, 0);
1107         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1108         hdr[2] = 0x01 | ((len + 2) << 1);
1109         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1110         hdr[4] = 0x01 | (len << 1);
1111 
1112         crc[0] = __fcs(hdr);
1113 
1114         iv[0].iov_base = hdr;
1115         iv[0].iov_len  = 5;
1116         iv[1].iov_base = pattern;
1117         iv[1].iov_len  = len;
1118         iv[2].iov_base = crc;
1119         iv[2].iov_len  = 1;
1120 
1121         memset(&msg, 0, sizeof(msg));
1122 
1123         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1124 }
1125 
1126 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1127 {
1128         struct rfcomm_hdr *hdr;
1129         u8 buf[16], *ptr = buf;
1130 
1131         BT_DBG("%p addr %d credits %d", s, addr, credits);
1132 
1133         hdr = (void *) ptr; ptr += sizeof(*hdr);
1134         hdr->addr = addr;
1135         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1136         hdr->len  = __len8(0);
1137 
1138         *ptr = credits; ptr++;
1139 
1140         *ptr = __fcs(buf); ptr++;
1141 
1142         return rfcomm_send_frame(s, buf, ptr - buf);
1143 }
1144 
1145 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1146 {
1147         struct rfcomm_hdr *hdr;
1148         int len = skb->len;
1149         u8 *crc;
1150 
1151         if (len > 127) {
1152                 hdr = (void *) skb_push(skb, 4);
1153                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1154         } else {
1155                 hdr = (void *) skb_push(skb, 3);
1156                 hdr->len = __len8(len);
1157         }
1158         hdr->addr = addr;
1159         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1160 
1161         crc = skb_put(skb, 1);
1162         *crc = __fcs((void *) hdr);
1163 }
1164 
1165 /* ---- RFCOMM frame reception ---- */
1166 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1167 {
1168         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1169 
1170         if (dlci) {
1171                 /* Data channel */
1172                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1173                 if (!d) {
1174                         rfcomm_send_dm(s, dlci);
1175                         return s;
1176                 }
1177 
1178                 switch (d->state) {
1179                 case BT_CONNECT:
1180                         rfcomm_dlc_clear_timer(d);
1181 
1182                         rfcomm_dlc_lock(d);
1183                         d->state = BT_CONNECTED;
1184                         d->state_change(d, 0);
1185                         rfcomm_dlc_unlock(d);
1186 
1187                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1188                         break;
1189 
1190                 case BT_DISCONN:
1191                         d->state = BT_CLOSED;
1192                         __rfcomm_dlc_close(d, 0);
1193 
1194                         if (list_empty(&s->dlcs)) {
1195                                 s->state = BT_DISCONN;
1196                                 rfcomm_send_disc(s, 0);
1197                                 rfcomm_session_clear_timer(s);
1198                         }
1199 
1200                         break;
1201                 }
1202         } else {
1203                 /* Control channel */
1204                 switch (s->state) {
1205                 case BT_CONNECT:
1206                         s->state = BT_CONNECTED;
1207                         rfcomm_process_connect(s);
1208                         break;
1209 
1210                 case BT_DISCONN:
1211                         s = rfcomm_session_close(s, ECONNRESET);
1212                         break;
1213                 }
1214         }
1215         return s;
1216 }
1217 
1218 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1219 {
1220         int err = 0;
1221 
1222         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1223 
1224         if (dlci) {
1225                 /* Data DLC */
1226                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1227                 if (d) {
1228                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1229                                 err = ECONNREFUSED;
1230                         else
1231                                 err = ECONNRESET;
1232 
1233                         d->state = BT_CLOSED;
1234                         __rfcomm_dlc_close(d, err);
1235                 }
1236         } else {
1237                 if (s->state == BT_CONNECT)
1238                         err = ECONNREFUSED;
1239                 else
1240                         err = ECONNRESET;
1241 
1242                 s = rfcomm_session_close(s, err);
1243         }
1244         return s;
1245 }
1246 
1247 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1248                                                u8 dlci)
1249 {
1250         int err = 0;
1251 
1252         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1253 
1254         if (dlci) {
1255                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1256                 if (d) {
1257                         rfcomm_send_ua(s, dlci);
1258 
1259                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1260                                 err = ECONNREFUSED;
1261                         else
1262                                 err = ECONNRESET;
1263 
1264                         d->state = BT_CLOSED;
1265                         __rfcomm_dlc_close(d, err);
1266                 } else
1267                         rfcomm_send_dm(s, dlci);
1268 
1269         } else {
1270                 rfcomm_send_ua(s, 0);
1271 
1272                 if (s->state == BT_CONNECT)
1273                         err = ECONNREFUSED;
1274                 else
1275                         err = ECONNRESET;
1276 
1277                 s = rfcomm_session_close(s, err);
1278         }
1279         return s;
1280 }
1281 
1282 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1283 {
1284         struct sock *sk = d->session->sock->sk;
1285         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1286 
1287         BT_DBG("dlc %p", d);
1288 
1289         rfcomm_send_ua(d->session, d->dlci);
1290 
1291         rfcomm_dlc_clear_timer(d);
1292 
1293         rfcomm_dlc_lock(d);
1294         d->state = BT_CONNECTED;
1295         d->state_change(d, 0);
1296         rfcomm_dlc_unlock(d);
1297 
1298         if (d->role_switch)
1299                 hci_conn_switch_role(conn->hcon, 0x00);
1300 
1301         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1302 }
1303 
1304 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1305 {
1306         if (rfcomm_check_security(d)) {
1307                 if (d->defer_setup) {
1308                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1309                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1310 
1311                         rfcomm_dlc_lock(d);
1312                         d->state = BT_CONNECT2;
1313                         d->state_change(d, 0);
1314                         rfcomm_dlc_unlock(d);
1315                 } else
1316                         rfcomm_dlc_accept(d);
1317         } else {
1318                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1319                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1320         }
1321 }
1322 
1323 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1324 {
1325         struct rfcomm_dlc *d;
1326         u8 channel;
1327 
1328         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1329 
1330         if (!dlci) {
1331                 rfcomm_send_ua(s, 0);
1332 
1333                 if (s->state == BT_OPEN) {
1334                         s->state = BT_CONNECTED;
1335                         rfcomm_process_connect(s);
1336                 }
1337                 return 0;
1338         }
1339 
1340         /* Check if DLC exists */
1341         d = rfcomm_dlc_get(s, dlci);
1342         if (d) {
1343                 if (d->state == BT_OPEN) {
1344                         /* DLC was previously opened by PN request */
1345                         rfcomm_check_accept(d);
1346                 }
1347                 return 0;
1348         }
1349 
1350         /* Notify socket layer about incoming connection */
1351         channel = __srv_channel(dlci);
1352         if (rfcomm_connect_ind(s, channel, &d)) {
1353                 d->dlci = dlci;
1354                 d->addr = __addr(s->initiator, dlci);
1355                 rfcomm_dlc_link(s, d);
1356 
1357                 rfcomm_check_accept(d);
1358         } else {
1359                 rfcomm_send_dm(s, dlci);
1360         }
1361 
1362         return 0;
1363 }
1364 
1365 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1366 {
1367         struct rfcomm_session *s = d->session;
1368 
1369         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1370                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1371 
1372         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1373                                                 pn->flow_ctrl == 0xe0) {
1374                 d->cfc = RFCOMM_CFC_ENABLED;
1375                 d->tx_credits = pn->credits;
1376         } else {
1377                 d->cfc = RFCOMM_CFC_DISABLED;
1378                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1379         }
1380 
1381         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1382                 s->cfc = d->cfc;
1383 
1384         d->priority = pn->priority;
1385 
1386         d->mtu = __le16_to_cpu(pn->mtu);
1387 
1388         if (cr && d->mtu > s->mtu)
1389                 d->mtu = s->mtu;
1390 
1391         return 0;
1392 }
1393 
1394 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1395 {
1396         struct rfcomm_pn *pn = (void *) skb->data;
1397         struct rfcomm_dlc *d;
1398         u8 dlci = pn->dlci;
1399 
1400         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1401 
1402         if (!dlci)
1403                 return 0;
1404 
1405         d = rfcomm_dlc_get(s, dlci);
1406         if (d) {
1407                 if (cr) {
1408                         /* PN request */
1409                         rfcomm_apply_pn(d, cr, pn);
1410                         rfcomm_send_pn(s, 0, d);
1411                 } else {
1412                         /* PN response */
1413                         switch (d->state) {
1414                         case BT_CONFIG:
1415                                 rfcomm_apply_pn(d, cr, pn);
1416 
1417                                 d->state = BT_CONNECT;
1418                                 rfcomm_send_sabm(s, d->dlci);
1419                                 break;
1420                         }
1421                 }
1422         } else {
1423                 u8 channel = __srv_channel(dlci);
1424 
1425                 if (!cr)
1426                         return 0;
1427 
1428                 /* PN request for non existing DLC.
1429                  * Assume incoming connection. */
1430                 if (rfcomm_connect_ind(s, channel, &d)) {
1431                         d->dlci = dlci;
1432                         d->addr = __addr(s->initiator, dlci);
1433                         rfcomm_dlc_link(s, d);
1434 
1435                         rfcomm_apply_pn(d, cr, pn);
1436 
1437                         d->state = BT_OPEN;
1438                         rfcomm_send_pn(s, 0, d);
1439                 } else {
1440                         rfcomm_send_dm(s, dlci);
1441                 }
1442         }
1443         return 0;
1444 }
1445 
1446 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1447 {
1448         struct rfcomm_rpn *rpn = (void *) skb->data;
1449         u8 dlci = __get_dlci(rpn->dlci);
1450 
1451         u8 bit_rate  = 0;
1452         u8 data_bits = 0;
1453         u8 stop_bits = 0;
1454         u8 parity    = 0;
1455         u8 flow_ctrl = 0;
1456         u8 xon_char  = 0;
1457         u8 xoff_char = 0;
1458         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1459 
1460         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1461                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1462                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1463 
1464         if (!cr)
1465                 return 0;
1466 
1467         if (len == 1) {
1468                 /* This is a request, return default (according to ETSI TS 07.10) settings */
1469                 bit_rate  = RFCOMM_RPN_BR_9600;
1470                 data_bits = RFCOMM_RPN_DATA_8;
1471                 stop_bits = RFCOMM_RPN_STOP_1;
1472                 parity    = RFCOMM_RPN_PARITY_NONE;
1473                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1474                 xon_char  = RFCOMM_RPN_XON_CHAR;
1475                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1476                 goto rpn_out;
1477         }
1478 
1479         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1480          * no parity, no flow control lines, normal XON/XOFF chars */
1481 
1482         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1483                 bit_rate = rpn->bit_rate;
1484                 if (bit_rate > RFCOMM_RPN_BR_230400) {
1485                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1486                         bit_rate = RFCOMM_RPN_BR_9600;
1487                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1488                 }
1489         }
1490 
1491         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1492                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1493                 if (data_bits != RFCOMM_RPN_DATA_8) {
1494                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1495                         data_bits = RFCOMM_RPN_DATA_8;
1496                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1497                 }
1498         }
1499 
1500         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1501                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1502                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1503                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1504                         stop_bits = RFCOMM_RPN_STOP_1;
1505                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1506                 }
1507         }
1508 
1509         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1510                 parity = __get_rpn_parity(rpn->line_settings);
1511                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1512                         BT_DBG("RPN parity mismatch 0x%x", parity);
1513                         parity = RFCOMM_RPN_PARITY_NONE;
1514                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1515                 }
1516         }
1517 
1518         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1519                 flow_ctrl = rpn->flow_ctrl;
1520                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1521                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1522                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1523                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1524                 }
1525         }
1526 
1527         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1528                 xon_char = rpn->xon_char;
1529                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1530                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1531                         xon_char = RFCOMM_RPN_XON_CHAR;
1532                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1533                 }
1534         }
1535 
1536         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1537                 xoff_char = rpn->xoff_char;
1538                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1539                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1540                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1541                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1542                 }
1543         }
1544 
1545 rpn_out:
1546         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1547                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1548 
1549         return 0;
1550 }
1551 
1552 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1553 {
1554         struct rfcomm_rls *rls = (void *) skb->data;
1555         u8 dlci = __get_dlci(rls->dlci);
1556 
1557         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1558 
1559         if (!cr)
1560                 return 0;
1561 
1562         /* We should probably do something with this information here. But
1563          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1564          * mandatory to recognise and respond to RLS */
1565 
1566         rfcomm_send_rls(s, 0, dlci, rls->status);
1567 
1568         return 0;
1569 }
1570 
1571 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1572 {
1573         struct rfcomm_msc *msc = (void *) skb->data;
1574         struct rfcomm_dlc *d;
1575         u8 dlci = __get_dlci(msc->dlci);
1576 
1577         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1578 
1579         d = rfcomm_dlc_get(s, dlci);
1580         if (!d)
1581                 return 0;
1582 
1583         if (cr) {
1584                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1585                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1586                 else
1587                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1588 
1589                 rfcomm_dlc_lock(d);
1590 
1591                 d->remote_v24_sig = msc->v24_sig;
1592 
1593                 if (d->modem_status)
1594                         d->modem_status(d, msc->v24_sig);
1595 
1596                 rfcomm_dlc_unlock(d);
1597 
1598                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1599 
1600                 d->mscex |= RFCOMM_MSCEX_RX;
1601         } else
1602                 d->mscex |= RFCOMM_MSCEX_TX;
1603 
1604         return 0;
1605 }
1606 
1607 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1608 {
1609         struct rfcomm_mcc *mcc = (void *) skb->data;
1610         u8 type, cr, len;
1611 
1612         cr   = __test_cr(mcc->type);
1613         type = __get_mcc_type(mcc->type);
1614         len  = __get_mcc_len(mcc->len);
1615 
1616         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1617 
1618         skb_pull(skb, 2);
1619 
1620         switch (type) {
1621         case RFCOMM_PN:
1622                 rfcomm_recv_pn(s, cr, skb);
1623                 break;
1624 
1625         case RFCOMM_RPN:
1626                 rfcomm_recv_rpn(s, cr, len, skb);
1627                 break;
1628 
1629         case RFCOMM_RLS:
1630                 rfcomm_recv_rls(s, cr, skb);
1631                 break;
1632 
1633         case RFCOMM_MSC:
1634                 rfcomm_recv_msc(s, cr, skb);
1635                 break;
1636 
1637         case RFCOMM_FCOFF:
1638                 if (cr) {
1639                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1640                         rfcomm_send_fcoff(s, 0);
1641                 }
1642                 break;
1643 
1644         case RFCOMM_FCON:
1645                 if (cr) {
1646                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1647                         rfcomm_send_fcon(s, 0);
1648                 }
1649                 break;
1650 
1651         case RFCOMM_TEST:
1652                 if (cr)
1653                         rfcomm_send_test(s, 0, skb->data, skb->len);
1654                 break;
1655 
1656         case RFCOMM_NSC:
1657                 break;
1658 
1659         default:
1660                 BT_ERR("Unknown control type 0x%02x", type);
1661                 rfcomm_send_nsc(s, cr, type);
1662                 break;
1663         }
1664         return 0;
1665 }
1666 
1667 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1668 {
1669         struct rfcomm_dlc *d;
1670 
1671         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1672 
1673         d = rfcomm_dlc_get(s, dlci);
1674         if (!d) {
1675                 rfcomm_send_dm(s, dlci);
1676                 goto drop;
1677         }
1678 
1679         if (pf && d->cfc) {
1680                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1681 
1682                 d->tx_credits += credits;
1683                 if (d->tx_credits)
1684                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1685         }
1686 
1687         if (skb->len && d->state == BT_CONNECTED) {
1688                 rfcomm_dlc_lock(d);
1689                 d->rx_credits--;
1690                 d->data_ready(d, skb);
1691                 rfcomm_dlc_unlock(d);
1692                 return 0;
1693         }
1694 
1695 drop:
1696         kfree_skb(skb);
1697         return 0;
1698 }
1699 
1700 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1701                                                 struct sk_buff *skb)
1702 {
1703         struct rfcomm_hdr *hdr = (void *) skb->data;
1704         u8 type, dlci, fcs;
1705 
1706         if (!s) {
1707                 /* no session, so free socket data */
1708                 kfree_skb(skb);
1709                 return s;
1710         }
1711 
1712         dlci = __get_dlci(hdr->addr);
1713         type = __get_type(hdr->ctrl);
1714 
1715         /* Trim FCS */
1716         skb->len--; skb->tail--;
1717         fcs = *(u8 *)skb_tail_pointer(skb);
1718 
1719         if (__check_fcs(skb->data, type, fcs)) {
1720                 BT_ERR("bad checksum in packet");
1721                 kfree_skb(skb);
1722                 return s;
1723         }
1724 
1725         if (__test_ea(hdr->len))
1726                 skb_pull(skb, 3);
1727         else
1728                 skb_pull(skb, 4);
1729 
1730         switch (type) {
1731         case RFCOMM_SABM:
1732                 if (__test_pf(hdr->ctrl))
1733                         rfcomm_recv_sabm(s, dlci);
1734                 break;
1735 
1736         case RFCOMM_DISC:
1737                 if (__test_pf(hdr->ctrl))
1738                         s = rfcomm_recv_disc(s, dlci);
1739                 break;
1740 
1741         case RFCOMM_UA:
1742                 if (__test_pf(hdr->ctrl))
1743                         s = rfcomm_recv_ua(s, dlci);
1744                 break;
1745 
1746         case RFCOMM_DM:
1747                 s = rfcomm_recv_dm(s, dlci);
1748                 break;
1749 
1750         case RFCOMM_UIH:
1751                 if (dlci) {
1752                         rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1753                         return s;
1754                 }
1755                 rfcomm_recv_mcc(s, skb);
1756                 break;
1757 
1758         default:
1759                 BT_ERR("Unknown packet type 0x%02x", type);
1760                 break;
1761         }
1762         kfree_skb(skb);
1763         return s;
1764 }
1765 
1766 /* ---- Connection and data processing ---- */
1767 
1768 static void rfcomm_process_connect(struct rfcomm_session *s)
1769 {
1770         struct rfcomm_dlc *d, *n;
1771 
1772         BT_DBG("session %p state %ld", s, s->state);
1773 
1774         list_for_each_entry_safe(d, n, &s->dlcs, list) {
1775                 if (d->state == BT_CONFIG) {
1776                         d->mtu = s->mtu;
1777                         if (rfcomm_check_security(d)) {
1778                                 rfcomm_send_pn(s, 1, d);
1779                         } else {
1780                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1781                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1782                         }
1783                 }
1784         }
1785 }
1786 
1787 /* Send data queued for the DLC.
1788  * Return number of frames left in the queue.
1789  */
1790 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1791 {
1792         struct sk_buff *skb;
1793         int err;
1794 
1795         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1796                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1797 
1798         /* Send pending MSC */
1799         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1800                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1801 
1802         if (d->cfc) {
1803                 /* CFC enabled.
1804                  * Give them some credits */
1805                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1806                                 d->rx_credits <= (d->cfc >> 2)) {
1807                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1808                         d->rx_credits = d->cfc;
1809                 }
1810         } else {
1811                 /* CFC disabled.
1812                  * Give ourselves some credits */
1813                 d->tx_credits = 5;
1814         }
1815 
1816         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1817                 return skb_queue_len(&d->tx_queue);
1818 
1819         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1820                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1821                 if (err < 0) {
1822                         skb_queue_head(&d->tx_queue, skb);
1823                         break;
1824                 }
1825                 kfree_skb(skb);
1826                 d->tx_credits--;
1827         }
1828 
1829         if (d->cfc && !d->tx_credits) {
1830                 /* We're out of TX credits.
1831                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1832                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1833         }
1834 
1835         return skb_queue_len(&d->tx_queue);
1836 }
1837 
1838 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1839 {
1840         struct rfcomm_dlc *d, *n;
1841 
1842         BT_DBG("session %p state %ld", s, s->state);
1843 
1844         list_for_each_entry_safe(d, n, &s->dlcs, list) {
1845                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1846                         __rfcomm_dlc_close(d, ETIMEDOUT);
1847                         continue;
1848                 }
1849 
1850                 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1851                         __rfcomm_dlc_close(d, ECONNREFUSED);
1852                         continue;
1853                 }
1854 
1855                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1856                         rfcomm_dlc_clear_timer(d);
1857                         if (d->out) {
1858                                 rfcomm_send_pn(s, 1, d);
1859                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1860                         } else {
1861                                 if (d->defer_setup) {
1862                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1863                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1864 
1865                                         rfcomm_dlc_lock(d);
1866                                         d->state = BT_CONNECT2;
1867                                         d->state_change(d, 0);
1868                                         rfcomm_dlc_unlock(d);
1869                                 } else
1870                                         rfcomm_dlc_accept(d);
1871                         }
1872                         continue;
1873                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1874                         rfcomm_dlc_clear_timer(d);
1875                         if (!d->out)
1876                                 rfcomm_send_dm(s, d->dlci);
1877                         else
1878                                 d->state = BT_CLOSED;
1879                         __rfcomm_dlc_close(d, ECONNREFUSED);
1880                         continue;
1881                 }
1882 
1883                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1884                         continue;
1885 
1886                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1887                         continue;
1888 
1889                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1890                                                 d->mscex == RFCOMM_MSCEX_OK)
1891                         rfcomm_process_tx(d);
1892         }
1893 }
1894 
1895 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1896 {
1897         struct socket *sock = s->sock;
1898         struct sock *sk = sock->sk;
1899         struct sk_buff *skb;
1900 
1901         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1902 
1903         /* Get data directly from socket receive queue without copying it. */
1904         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1905                 skb_orphan(skb);
1906                 if (!skb_linearize(skb)) {
1907                         s = rfcomm_recv_frame(s, skb);
1908                         if (!s)
1909                                 break;
1910                 } else {
1911                         kfree_skb(skb);
1912                 }
1913         }
1914 
1915         if (s && (sk->sk_state == BT_CLOSED))
1916                 s = rfcomm_session_close(s, sk->sk_err);
1917 
1918         return s;
1919 }
1920 
1921 static void rfcomm_accept_connection(struct rfcomm_session *s)
1922 {
1923         struct socket *sock = s->sock, *nsock;
1924         int err;
1925 
1926         /* Fast check for a new connection.
1927          * Avoids unnesesary socket allocations. */
1928         if (list_empty(&bt_sk(sock->sk)->accept_q))
1929                 return;
1930 
1931         BT_DBG("session %p", s);
1932 
1933         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1934         if (err < 0)
1935                 return;
1936 
1937         /* Set our callbacks */
1938         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1939         nsock->sk->sk_state_change = rfcomm_l2state_change;
1940 
1941         s = rfcomm_session_add(nsock, BT_OPEN);
1942         if (s) {
1943                 /* We should adjust MTU on incoming sessions.
1944                  * L2CAP MTU minus UIH header and FCS. */
1945                 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1946                                 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1947 
1948                 rfcomm_schedule();
1949         } else
1950                 sock_release(nsock);
1951 }
1952 
1953 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1954 {
1955         struct sock *sk = s->sock->sk;
1956 
1957         BT_DBG("%p state %ld", s, s->state);
1958 
1959         switch (sk->sk_state) {
1960         case BT_CONNECTED:
1961                 s->state = BT_CONNECT;
1962 
1963                 /* We can adjust MTU on outgoing sessions.
1964                  * L2CAP MTU minus UIH header and FCS. */
1965                 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1966 
1967                 rfcomm_send_sabm(s, 0);
1968                 break;
1969 
1970         case BT_CLOSED:
1971                 s = rfcomm_session_close(s, sk->sk_err);
1972                 break;
1973         }
1974         return s;
1975 }
1976 
1977 static void rfcomm_process_sessions(void)
1978 {
1979         struct rfcomm_session *s, *n;
1980 
1981         rfcomm_lock();
1982 
1983         list_for_each_entry_safe(s, n, &session_list, list) {
1984                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1985                         s->state = BT_DISCONN;
1986                         rfcomm_send_disc(s, 0);
1987                         continue;
1988                 }
1989 
1990                 switch (s->state) {
1991                 case BT_LISTEN:
1992                         rfcomm_accept_connection(s);
1993                         continue;
1994 
1995                 case BT_BOUND:
1996                         s = rfcomm_check_connection(s);
1997                         break;
1998 
1999                 default:
2000                         s = rfcomm_process_rx(s);
2001                         break;
2002                 }
2003 
2004                 if (s)
2005                         rfcomm_process_dlcs(s);
2006         }
2007 
2008         rfcomm_unlock();
2009 }
2010 
2011 static int rfcomm_add_listener(bdaddr_t *ba)
2012 {
2013         struct sockaddr_l2 addr;
2014         struct socket *sock;
2015         struct sock *sk;
2016         struct rfcomm_session *s;
2017         int    err = 0;
2018 
2019         /* Create socket */
2020         err = rfcomm_l2sock_create(&sock);
2021         if (err < 0) {
2022                 BT_ERR("Create socket failed %d", err);
2023                 return err;
2024         }
2025 
2026         /* Bind socket */
2027         bacpy(&addr.l2_bdaddr, ba);
2028         addr.l2_family = AF_BLUETOOTH;
2029         addr.l2_psm    = cpu_to_le16(L2CAP_PSM_RFCOMM);
2030         addr.l2_cid    = 0;
2031         addr.l2_bdaddr_type = BDADDR_BREDR;
2032         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2033         if (err < 0) {
2034                 BT_ERR("Bind failed %d", err);
2035                 goto failed;
2036         }
2037 
2038         /* Set L2CAP options */
2039         sk = sock->sk;
2040         lock_sock(sk);
2041         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2042         release_sock(sk);
2043 
2044         /* Start listening on the socket */
2045         err = kernel_listen(sock, 10);
2046         if (err) {
2047                 BT_ERR("Listen failed %d", err);
2048                 goto failed;
2049         }
2050 
2051         /* Add listening session */
2052         s = rfcomm_session_add(sock, BT_LISTEN);
2053         if (!s) {
2054                 err = -ENOMEM;
2055                 goto failed;
2056         }
2057 
2058         return 0;
2059 failed:
2060         sock_release(sock);
2061         return err;
2062 }
2063 
2064 static void rfcomm_kill_listener(void)
2065 {
2066         struct rfcomm_session *s, *n;
2067 
2068         BT_DBG("");
2069 
2070         list_for_each_entry_safe(s, n, &session_list, list)
2071                 rfcomm_session_del(s);
2072 }
2073 
2074 static int rfcomm_run(void *unused)
2075 {
2076         DEFINE_WAIT_FUNC(wait, woken_wake_function);
2077         BT_DBG("");
2078 
2079         set_user_nice(current, -10);
2080 
2081         rfcomm_add_listener(BDADDR_ANY);
2082 
2083         add_wait_queue(&rfcomm_wq, &wait);
2084         while (!kthread_should_stop()) {
2085 
2086                 /* Process stuff */
2087                 rfcomm_process_sessions();
2088 
2089                 wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
2090         }
2091         remove_wait_queue(&rfcomm_wq, &wait);
2092 
2093         rfcomm_kill_listener();
2094 
2095         return 0;
2096 }
2097 
2098 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2099 {
2100         struct rfcomm_session *s;
2101         struct rfcomm_dlc *d, *n;
2102 
2103         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2104 
2105         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2106         if (!s)
2107                 return;
2108 
2109         list_for_each_entry_safe(d, n, &s->dlcs, list) {
2110                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2111                         rfcomm_dlc_clear_timer(d);
2112                         if (status || encrypt == 0x00) {
2113                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2114                                 continue;
2115                         }
2116                 }
2117 
2118                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2119                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2120                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2121                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2122                                 continue;
2123                         } else if (d->sec_level == BT_SECURITY_HIGH ||
2124                                    d->sec_level == BT_SECURITY_FIPS) {
2125                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2126                                 continue;
2127                         }
2128                 }
2129 
2130                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2131                         continue;
2132 
2133                 if (!status && hci_conn_check_secure(conn, d->sec_level))
2134                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2135                 else
2136                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2137         }
2138 
2139         rfcomm_schedule();
2140 }
2141 
2142 static struct hci_cb rfcomm_cb = {
2143         .name           = "RFCOMM",
2144         .security_cfm   = rfcomm_security_cfm
2145 };
2146 
2147 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2148 {
2149         struct rfcomm_session *s;
2150 
2151         rfcomm_lock();
2152 
2153         list_for_each_entry(s, &session_list, list) {
2154                 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
2155                 struct rfcomm_dlc *d;
2156                 list_for_each_entry(d, &s->dlcs, list) {
2157                         seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2158                                    &chan->src, &chan->dst,
2159                                    d->state, d->dlci, d->mtu,
2160                                    d->rx_credits, d->tx_credits);
2161                 }
2162         }
2163 
2164         rfcomm_unlock();
2165 
2166         return 0;
2167 }
2168 
2169 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2170 {
2171         return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2172 }
2173 
2174 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2175         .open           = rfcomm_dlc_debugfs_open,
2176         .read           = seq_read,
2177         .llseek         = seq_lseek,
2178         .release        = single_release,
2179 };
2180 
2181 static struct dentry *rfcomm_dlc_debugfs;
2182 
2183 /* ---- Initialization ---- */
2184 static int __init rfcomm_init(void)
2185 {
2186         int err;
2187 
2188         hci_register_cb(&rfcomm_cb);
2189 
2190         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2191         if (IS_ERR(rfcomm_thread)) {
2192                 err = PTR_ERR(rfcomm_thread);
2193                 goto unregister;
2194         }
2195 
2196         err = rfcomm_init_ttys();
2197         if (err < 0)
2198                 goto stop;
2199 
2200         err = rfcomm_init_sockets();
2201         if (err < 0)
2202                 goto cleanup;
2203 
2204         BT_INFO("RFCOMM ver %s", VERSION);
2205 
2206         if (IS_ERR_OR_NULL(bt_debugfs))
2207                 return 0;
2208 
2209         rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2210                                                  bt_debugfs, NULL,
2211                                                  &rfcomm_dlc_debugfs_fops);
2212 
2213         return 0;
2214 
2215 cleanup:
2216         rfcomm_cleanup_ttys();
2217 
2218 stop:
2219         kthread_stop(rfcomm_thread);
2220 
2221 unregister:
2222         hci_unregister_cb(&rfcomm_cb);
2223 
2224         return err;
2225 }
2226 
2227 static void __exit rfcomm_exit(void)
2228 {
2229         debugfs_remove(rfcomm_dlc_debugfs);
2230 
2231         hci_unregister_cb(&rfcomm_cb);
2232 
2233         kthread_stop(rfcomm_thread);
2234 
2235         rfcomm_cleanup_ttys();
2236 
2237         rfcomm_cleanup_sockets();
2238 }
2239 
2240 module_init(rfcomm_init);
2241 module_exit(rfcomm_exit);
2242 
2243 module_param(disable_cfc, bool, 0644);
2244 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2245 
2246 module_param(channel_mtu, int, 0644);
2247 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2248 
2249 module_param(l2cap_mtu, uint, 0644);
2250 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2251 
2252 module_param(l2cap_ertm, bool, 0644);
2253 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2254 
2255 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2256 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2257 MODULE_VERSION(VERSION);
2258 MODULE_LICENSE("GPL");
2259 MODULE_ALIAS("bt-proto-3");
2260 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us