search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ARM: mmp: fix potential NULL dereference
[linux/fpc-iii.git] / net / bluetooth / rfcomm / core.c
blobc75107ef89204877315ea8d61248c2fa4e2bddd2
1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * Bluetooth RFCOMM core.
26 */
27
28 #include <linux/module.h>
29 #include <linux/debugfs.h>
30 #include <linux/kthread.h>
31 #include <asm/unaligned.h>
32
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35 #include <net/bluetooth/l2cap.h>
36 #include <net/bluetooth/rfcomm.h>
37
38 #define VERSION "1.11"
39
40 static bool disable_cfc;
41 static bool l2cap_ertm;
42 static int channel_mtu = -1;
43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44
45 static struct task_struct *rfcomm_thread;
46
47 static DEFINE_MUTEX(rfcomm_mutex);
48 #define rfcomm_lock() mutex_lock(&rfcomm_mutex)
49 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
50
51
52 static LIST_HEAD(session_list);
53
54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64
65 static void rfcomm_process_connect(struct rfcomm_session *s);
66
67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68 bdaddr_t *dst,
69 u8 sec_level,
70 int *err);
71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
72 static void rfcomm_session_del(struct rfcomm_session *s);
73
74 /* ---- RFCOMM frame parsing macros ---- */
75 #define __get_dlci(b) ((b & 0xfc) >> 2)
76 #define __get_channel(b) ((b & 0xf8) >> 3)
77 #define __get_dir(b) ((b & 0x04) >> 2)
78 #define __get_type(b) ((b & 0xef))
79
80 #define __test_ea(b) ((b & 0x01))
81 #define __test_cr(b) ((b & 0x02))
82 #define __test_pf(b) ((b & 0x10))
83
84 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
85 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
86 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
87 #define __srv_channel(dlci) (dlci >> 1)
88 #define __dir(dlci) (dlci & 0x01)
89
90 #define __len8(len) (((len) << 1) | 1)
91 #define __len16(len) ((len) << 1)
92
93 /* MCC macros */
94 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
95 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
96 #define __get_mcc_len(b) ((b & 0xfe) >> 1)
97
98 /* RPN macros */
99 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
100 #define __get_rpn_data_bits(line) ((line) & 0x3)
101 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
102 #define __get_rpn_parity(line) (((line) >> 3) & 0x7)
103
104 static void rfcomm_schedule(void)
105 {
106 if (!rfcomm_thread)
107 return;
108 wake_up_process(rfcomm_thread);
109 }
110
111 static void rfcomm_session_put(struct rfcomm_session *s)
112 {
113 if (atomic_dec_and_test(&s->refcnt))
114 rfcomm_session_del(s);
115 }
116
117 /* ---- RFCOMM FCS computation ---- */
118
119 /* reversed, 8-bit, poly=0x07 */
120 static unsigned char rfcomm_crc_table[256] = {
121 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
122 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
123 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
124 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
125
126 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
127 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
128 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
129 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
130
131 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
132 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
133 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
134 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
135
136 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
137 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
138 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
139 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
140
141 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
142 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
143 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
144 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
145
146 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
147 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
148 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
149 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
150
151 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
152 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
153 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
154 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
155
156 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
157 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
158 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
159 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
160 };
161
162 /* CRC on 2 bytes */
163 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
164
165 /* FCS on 2 bytes */
166 static inline u8 __fcs(u8 *data)
167 {
168 return 0xff - __crc(data);
169 }
170
171 /* FCS on 3 bytes */
172 static inline u8 __fcs2(u8 *data)
173 {
174 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
175 }
176
177 /* Check FCS */
178 static inline int __check_fcs(u8 *data, int type, u8 fcs)
179 {
180 u8 f = __crc(data);
181
182 if (type != RFCOMM_UIH)
183 f = rfcomm_crc_table[f ^ data[2]];
184
185 return rfcomm_crc_table[f ^ fcs] != 0xcf;
186 }
187
188 /* ---- L2CAP callbacks ---- */
189 static void rfcomm_l2state_change(struct sock *sk)
190 {
191 BT_DBG("%p state %d", sk, sk->sk_state);
192 rfcomm_schedule();
193 }
194
195 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
196 {
197 BT_DBG("%p bytes %d", sk, bytes);
198 rfcomm_schedule();
199 }
200
201 static int rfcomm_l2sock_create(struct socket **sock)
202 {
203 int err;
204
205 BT_DBG("");
206
207 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
208 if (!err) {
209 struct sock *sk = (*sock)->sk;
210 sk->sk_data_ready = rfcomm_l2data_ready;
211 sk->sk_state_change = rfcomm_l2state_change;
212 }
213 return err;
214 }
215
216 static int rfcomm_check_security(struct rfcomm_dlc *d)
217 {
218 struct sock *sk = d->session->sock->sk;
219 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
220
221 __u8 auth_type;
222
223 switch (d->sec_level) {
224 case BT_SECURITY_HIGH:
225 auth_type = HCI_AT_GENERAL_BONDING_MITM;
226 break;
227 case BT_SECURITY_MEDIUM:
228 auth_type = HCI_AT_GENERAL_BONDING;
229 break;
230 default:
231 auth_type = HCI_AT_NO_BONDING;
232 break;
233 }
234
235 return hci_conn_security(conn->hcon, d->sec_level, auth_type);
236 }
237
238 static void rfcomm_session_timeout(unsigned long arg)
239 {
240 struct rfcomm_session *s = (void *) arg;
241
242 BT_DBG("session %p state %ld", s, s->state);
243
244 set_bit(RFCOMM_TIMED_OUT, &s->flags);
245 rfcomm_schedule();
246 }
247
248 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
249 {
250 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
251
252 if (!mod_timer(&s->timer, jiffies + timeout))
253 rfcomm_session_hold(s);
254 }
255
256 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
257 {
258 BT_DBG("session %p state %ld", s, s->state);
259
260 if (timer_pending(&s->timer) && del_timer(&s->timer))
261 rfcomm_session_put(s);
262 }
263
264 /* ---- RFCOMM DLCs ---- */
265 static void rfcomm_dlc_timeout(unsigned long arg)
266 {
267 struct rfcomm_dlc *d = (void *) arg;
268
269 BT_DBG("dlc %p state %ld", d, d->state);
270
271 set_bit(RFCOMM_TIMED_OUT, &d->flags);
272 rfcomm_dlc_put(d);
273 rfcomm_schedule();
274 }
275
276 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
277 {
278 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
279
280 if (!mod_timer(&d->timer, jiffies + timeout))
281 rfcomm_dlc_hold(d);
282 }
283
284 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
285 {
286 BT_DBG("dlc %p state %ld", d, d->state);
287
288 if (timer_pending(&d->timer) && del_timer(&d->timer))
289 rfcomm_dlc_put(d);
290 }
291
292 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
293 {
294 BT_DBG("%p", d);
295
296 d->state = BT_OPEN;
297 d->flags = 0;
298 d->mscex = 0;
299 d->sec_level = BT_SECURITY_LOW;
300 d->mtu = RFCOMM_DEFAULT_MTU;
301 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
302
303 d->cfc = RFCOMM_CFC_DISABLED;
304 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
305 }
306
307 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
308 {
309 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
310
311 if (!d)
312 return NULL;
313
314 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
315
316 skb_queue_head_init(&d->tx_queue);
317 spin_lock_init(&d->lock);
318 atomic_set(&d->refcnt, 1);
319
320 rfcomm_dlc_clear_state(d);
321
322 BT_DBG("%p", d);
323
324 return d;
325 }
326
327 void rfcomm_dlc_free(struct rfcomm_dlc *d)
328 {
329 BT_DBG("%p", d);
330
331 skb_queue_purge(&d->tx_queue);
332 kfree(d);
333 }
334
335 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
336 {
337 BT_DBG("dlc %p session %p", d, s);
338
339 rfcomm_session_hold(s);
340
341 rfcomm_session_clear_timer(s);
342 rfcomm_dlc_hold(d);
343 list_add(&d->list, &s->dlcs);
344 d->session = s;
345 }
346
347 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
348 {
349 struct rfcomm_session *s = d->session;
350
351 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
352
353 list_del(&d->list);
354 d->session = NULL;
355 rfcomm_dlc_put(d);
356
357 if (list_empty(&s->dlcs))
358 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
359
360 rfcomm_session_put(s);
361 }
362
363 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
364 {
365 struct rfcomm_dlc *d;
366
367 list_for_each_entry(d, &s->dlcs, list)
368 if (d->dlci == dlci)
369 return d;
370
371 return NULL;
372 }
373
374 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
375 {
376 struct rfcomm_session *s;
377 int err = 0;
378 u8 dlci;
379
380 BT_DBG("dlc %p state %ld %s %s channel %d",
381 d, d->state, batostr(src), batostr(dst), channel);
382
383 if (channel < 1 || channel > 30)
384 return -EINVAL;
385
386 if (d->state != BT_OPEN && d->state != BT_CLOSED)
387 return 0;
388
389 s = rfcomm_session_get(src, dst);
390 if (!s) {
391 s = rfcomm_session_create(src, dst, d->sec_level, &err);
392 if (!s)
393 return err;
394 }
395
396 dlci = __dlci(!s->initiator, channel);
397
398 /* Check if DLCI already exists */
399 if (rfcomm_dlc_get(s, dlci))
400 return -EBUSY;
401
402 rfcomm_dlc_clear_state(d);
403
404 d->dlci = dlci;
405 d->addr = __addr(s->initiator, dlci);
406 d->priority = 7;
407
408 d->state = BT_CONFIG;
409 rfcomm_dlc_link(s, d);
410
411 d->out = 1;
412
413 d->mtu = s->mtu;
414 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
415
416 if (s->state == BT_CONNECTED) {
417 if (rfcomm_check_security(d))
418 rfcomm_send_pn(s, 1, d);
419 else
420 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
421 }
422
423 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
424
425 return 0;
426 }
427
428 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
429 {
430 int r;
431
432 rfcomm_lock();
433
434 r = __rfcomm_dlc_open(d, src, dst, channel);
435
436 rfcomm_unlock();
437 return r;
438 }
439
440 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
441 {
442 struct rfcomm_session *s = d->session;
443 if (!s)
444 return 0;
445
446 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
447 d, d->state, d->dlci, err, s);
448
449 switch (d->state) {
450 case BT_CONNECT:
451 case BT_CONFIG:
452 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
453 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
454 rfcomm_schedule();
455 break;
456 }
457 /* Fall through */
458
459 case BT_CONNECTED:
460 d->state = BT_DISCONN;
461 if (skb_queue_empty(&d->tx_queue)) {
462 rfcomm_send_disc(s, d->dlci);
463 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
464 } else {
465 rfcomm_queue_disc(d);
466 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
467 }
468 break;
469
470 case BT_OPEN:
471 case BT_CONNECT2:
472 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
473 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
474 rfcomm_schedule();
475 break;
476 }
477 /* Fall through */
478
479 default:
480 rfcomm_dlc_clear_timer(d);
481
482 rfcomm_dlc_lock(d);
483 d->state = BT_CLOSED;
484 d->state_change(d, err);
485 rfcomm_dlc_unlock(d);
486
487 skb_queue_purge(&d->tx_queue);
488 rfcomm_dlc_unlink(d);
489 }
490
491 return 0;
492 }
493
494 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
495 {
496 int r;
497
498 rfcomm_lock();
499
500 r = __rfcomm_dlc_close(d, err);
501
502 rfcomm_unlock();
503 return r;
504 }
505
506 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
507 {
508 int len = skb->len;
509
510 if (d->state != BT_CONNECTED)
511 return -ENOTCONN;
512
513 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
514
515 if (len > d->mtu)
516 return -EINVAL;
517
518 rfcomm_make_uih(skb, d->addr);
519 skb_queue_tail(&d->tx_queue, skb);
520
521 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
522 rfcomm_schedule();
523 return len;
524 }
525
526 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
527 {
528 BT_DBG("dlc %p state %ld", d, d->state);
529
530 if (!d->cfc) {
531 d->v24_sig |= RFCOMM_V24_FC;
532 set_bit(RFCOMM_MSC_PENDING, &d->flags);
533 }
534 rfcomm_schedule();
535 }
536
537 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
538 {
539 BT_DBG("dlc %p state %ld", d, d->state);
540
541 if (!d->cfc) {
542 d->v24_sig &= ~RFCOMM_V24_FC;
543 set_bit(RFCOMM_MSC_PENDING, &d->flags);
544 }
545 rfcomm_schedule();
546 }
547
548 /*
549 Set/get modem status functions use _local_ status i.e. what we report
550 to the other side.
551 Remote status is provided by dlc->modem_status() callback.
552 */
553 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
554 {
555 BT_DBG("dlc %p state %ld v24_sig 0x%x",
556 d, d->state, v24_sig);
557
558 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
559 v24_sig |= RFCOMM_V24_FC;
560 else
561 v24_sig &= ~RFCOMM_V24_FC;
562
563 d->v24_sig = v24_sig;
564
565 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
566 rfcomm_schedule();
567
568 return 0;
569 }
570
571 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
572 {
573 BT_DBG("dlc %p state %ld v24_sig 0x%x",
574 d, d->state, d->v24_sig);
575
576 *v24_sig = d->v24_sig;
577 return 0;
578 }
579
580 /* ---- RFCOMM sessions ---- */
581 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
582 {
583 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
584
585 if (!s)
586 return NULL;
587
588 BT_DBG("session %p sock %p", s, sock);
589
590 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
591
592 INIT_LIST_HEAD(&s->dlcs);
593 s->state = state;
594 s->sock = sock;
595
596 s->mtu = RFCOMM_DEFAULT_MTU;
597 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
598
599 /* Do not increment module usage count for listening sessions.
600 * Otherwise we won't be able to unload the module. */
601 if (state != BT_LISTEN)
602 if (!try_module_get(THIS_MODULE)) {
603 kfree(s);
604 return NULL;
605 }
606
607 list_add(&s->list, &session_list);
608
609 return s;
610 }
611
612 static void rfcomm_session_del(struct rfcomm_session *s)
613 {
614 int state = s->state;
615
616 BT_DBG("session %p state %ld", s, s->state);
617
618 list_del(&s->list);
619
620 if (state == BT_CONNECTED)
621 rfcomm_send_disc(s, 0);
622
623 rfcomm_session_clear_timer(s);
624 sock_release(s->sock);
625 kfree(s);
626
627 if (state != BT_LISTEN)
628 module_put(THIS_MODULE);
629 }
630
631 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
632 {
633 struct rfcomm_session *s;
634 struct list_head *p, *n;
635 struct bt_sock *sk;
636 list_for_each_safe(p, n, &session_list) {
637 s = list_entry(p, struct rfcomm_session, list);
638 sk = bt_sk(s->sock->sk);
639
640 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
641 !bacmp(&sk->dst, dst))
642 return s;
643 }
644 return NULL;
645 }
646
647 static void rfcomm_session_close(struct rfcomm_session *s, int err)
648 {
649 struct rfcomm_dlc *d;
650 struct list_head *p, *n;
651
652 BT_DBG("session %p state %ld err %d", s, s->state, err);
653
654 rfcomm_session_hold(s);
655
656 s->state = BT_CLOSED;
657
658 /* Close all dlcs */
659 list_for_each_safe(p, n, &s->dlcs) {
660 d = list_entry(p, struct rfcomm_dlc, list);
661 d->state = BT_CLOSED;
662 __rfcomm_dlc_close(d, err);
663 }
664
665 rfcomm_session_clear_timer(s);
666 rfcomm_session_put(s);
667 }
668
669 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
670 bdaddr_t *dst,
671 u8 sec_level,
672 int *err)
673 {
674 struct rfcomm_session *s = NULL;
675 struct sockaddr_l2 addr;
676 struct socket *sock;
677 struct sock *sk;
678
679 BT_DBG("%s %s", batostr(src), batostr(dst));
680
681 *err = rfcomm_l2sock_create(&sock);
682 if (*err < 0)
683 return NULL;
684
685 bacpy(&addr.l2_bdaddr, src);
686 addr.l2_family = AF_BLUETOOTH;
687 addr.l2_psm = 0;
688 addr.l2_cid = 0;
689 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
690 if (*err < 0)
691 goto failed;
692
693 /* Set L2CAP options */
694 sk = sock->sk;
695 lock_sock(sk);
696 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
697 l2cap_pi(sk)->chan->sec_level = sec_level;
698 if (l2cap_ertm)
699 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
700 release_sock(sk);
701
702 s = rfcomm_session_add(sock, BT_BOUND);
703 if (!s) {
704 *err = -ENOMEM;
705 goto failed;
706 }
707
708 s->initiator = 1;
709
710 bacpy(&addr.l2_bdaddr, dst);
711 addr.l2_family = AF_BLUETOOTH;
712 addr.l2_psm = cpu_to_le16(RFCOMM_PSM);
713 addr.l2_cid = 0;
714 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
715 if (*err == 0 || *err == -EINPROGRESS)
716 return s;
717
718 rfcomm_session_del(s);
719 return NULL;
720
721 failed:
722 sock_release(sock);
723 return NULL;
724 }
725
726 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
727 {
728 struct sock *sk = s->sock->sk;
729 if (src)
730 bacpy(src, &bt_sk(sk)->src);
731 if (dst)
732 bacpy(dst, &bt_sk(sk)->dst);
733 }
734
735 /* ---- RFCOMM frame sending ---- */
736 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
737 {
738 struct kvec iv = { data, len };
739 struct msghdr msg;
740
741 BT_DBG("session %p len %d", s, len);
742
743 memset(&msg, 0, sizeof(msg));
744
745 return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
746 }
747
748 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
749 {
750 BT_DBG("%p cmd %u", s, cmd->ctrl);
751
752 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
753 }
754
755 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
756 {
757 struct rfcomm_cmd cmd;
758
759 BT_DBG("%p dlci %d", s, dlci);
760
761 cmd.addr = __addr(s->initiator, dlci);
762 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
763 cmd.len = __len8(0);
764 cmd.fcs = __fcs2((u8 *) &cmd);
765
766 return rfcomm_send_cmd(s, &cmd);
767 }
768
769 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
770 {
771 struct rfcomm_cmd cmd;
772
773 BT_DBG("%p dlci %d", s, dlci);
774
775 cmd.addr = __addr(!s->initiator, dlci);
776 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
777 cmd.len = __len8(0);
778 cmd.fcs = __fcs2((u8 *) &cmd);
779
780 return rfcomm_send_cmd(s, &cmd);
781 }
782
783 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
784 {
785 struct rfcomm_cmd cmd;
786
787 BT_DBG("%p dlci %d", s, dlci);
788
789 cmd.addr = __addr(s->initiator, dlci);
790 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
791 cmd.len = __len8(0);
792 cmd.fcs = __fcs2((u8 *) &cmd);
793
794 return rfcomm_send_cmd(s, &cmd);
795 }
796
797 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
798 {
799 struct rfcomm_cmd *cmd;
800 struct sk_buff *skb;
801
802 BT_DBG("dlc %p dlci %d", d, d->dlci);
803
804 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
805 if (!skb)
806 return -ENOMEM;
807
808 cmd = (void *) __skb_put(skb, sizeof(*cmd));
809 cmd->addr = d->addr;
810 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
811 cmd->len = __len8(0);
812 cmd->fcs = __fcs2((u8 *) cmd);
813
814 skb_queue_tail(&d->tx_queue, skb);
815 rfcomm_schedule();
816 return 0;
817 }
818
819 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
820 {
821 struct rfcomm_cmd cmd;
822
823 BT_DBG("%p dlci %d", s, dlci);
824
825 cmd.addr = __addr(!s->initiator, dlci);
826 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
827 cmd.len = __len8(0);
828 cmd.fcs = __fcs2((u8 *) &cmd);
829
830 return rfcomm_send_cmd(s, &cmd);
831 }
832
833 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
834 {
835 struct rfcomm_hdr *hdr;
836 struct rfcomm_mcc *mcc;
837 u8 buf[16], *ptr = buf;
838
839 BT_DBG("%p cr %d type %d", s, cr, type);
840
841 hdr = (void *) ptr; ptr += sizeof(*hdr);
842 hdr->addr = __addr(s->initiator, 0);
843 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
844 hdr->len = __len8(sizeof(*mcc) + 1);
845
846 mcc = (void *) ptr; ptr += sizeof(*mcc);
847 mcc->type = __mcc_type(cr, RFCOMM_NSC);
848 mcc->len = __len8(1);
849
850 /* Type that we didn't like */
851 *ptr = __mcc_type(cr, type); ptr++;
852
853 *ptr = __fcs(buf); ptr++;
854
855 return rfcomm_send_frame(s, buf, ptr - buf);
856 }
857
858 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
859 {
860 struct rfcomm_hdr *hdr;
861 struct rfcomm_mcc *mcc;
862 struct rfcomm_pn *pn;
863 u8 buf[16], *ptr = buf;
864
865 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
866
867 hdr = (void *) ptr; ptr += sizeof(*hdr);
868 hdr->addr = __addr(s->initiator, 0);
869 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
870 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
871
872 mcc = (void *) ptr; ptr += sizeof(*mcc);
873 mcc->type = __mcc_type(cr, RFCOMM_PN);
874 mcc->len = __len8(sizeof(*pn));
875
876 pn = (void *) ptr; ptr += sizeof(*pn);
877 pn->dlci = d->dlci;
878 pn->priority = d->priority;
879 pn->ack_timer = 0;
880 pn->max_retrans = 0;
881
882 if (s->cfc) {
883 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
884 pn->credits = RFCOMM_DEFAULT_CREDITS;
885 } else {
886 pn->flow_ctrl = 0;
887 pn->credits = 0;
888 }
889
890 if (cr && channel_mtu >= 0)
891 pn->mtu = cpu_to_le16(channel_mtu);
892 else
893 pn->mtu = cpu_to_le16(d->mtu);
894
895 *ptr = __fcs(buf); ptr++;
896
897 return rfcomm_send_frame(s, buf, ptr - buf);
898 }
899
900 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
901 u8 bit_rate, u8 data_bits, u8 stop_bits,
902 u8 parity, u8 flow_ctrl_settings,
903 u8 xon_char, u8 xoff_char, u16 param_mask)
904 {
905 struct rfcomm_hdr *hdr;
906 struct rfcomm_mcc *mcc;
907 struct rfcomm_rpn *rpn;
908 u8 buf[16], *ptr = buf;
909
910 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
911 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
912 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
913 flow_ctrl_settings, xon_char, xoff_char, param_mask);
914
915 hdr = (void *) ptr; ptr += sizeof(*hdr);
916 hdr->addr = __addr(s->initiator, 0);
917 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
918 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
919
920 mcc = (void *) ptr; ptr += sizeof(*mcc);
921 mcc->type = __mcc_type(cr, RFCOMM_RPN);
922 mcc->len = __len8(sizeof(*rpn));
923
924 rpn = (void *) ptr; ptr += sizeof(*rpn);
925 rpn->dlci = __addr(1, dlci);
926 rpn->bit_rate = bit_rate;
927 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
928 rpn->flow_ctrl = flow_ctrl_settings;
929 rpn->xon_char = xon_char;
930 rpn->xoff_char = xoff_char;
931 rpn->param_mask = cpu_to_le16(param_mask);
932
933 *ptr = __fcs(buf); ptr++;
934
935 return rfcomm_send_frame(s, buf, ptr - buf);
936 }
937
938 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
939 {
940 struct rfcomm_hdr *hdr;
941 struct rfcomm_mcc *mcc;
942 struct rfcomm_rls *rls;
943 u8 buf[16], *ptr = buf;
944
945 BT_DBG("%p cr %d status 0x%x", s, cr, status);
946
947 hdr = (void *) ptr; ptr += sizeof(*hdr);
948 hdr->addr = __addr(s->initiator, 0);
949 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
950 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
951
952 mcc = (void *) ptr; ptr += sizeof(*mcc);
953 mcc->type = __mcc_type(cr, RFCOMM_RLS);
954 mcc->len = __len8(sizeof(*rls));
955
956 rls = (void *) ptr; ptr += sizeof(*rls);
957 rls->dlci = __addr(1, dlci);
958 rls->status = status;
959
960 *ptr = __fcs(buf); ptr++;
961
962 return rfcomm_send_frame(s, buf, ptr - buf);
963 }
964
965 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
966 {
967 struct rfcomm_hdr *hdr;
968 struct rfcomm_mcc *mcc;
969 struct rfcomm_msc *msc;
970 u8 buf[16], *ptr = buf;
971
972 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
973
974 hdr = (void *) ptr; ptr += sizeof(*hdr);
975 hdr->addr = __addr(s->initiator, 0);
976 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
977 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
978
979 mcc = (void *) ptr; ptr += sizeof(*mcc);
980 mcc->type = __mcc_type(cr, RFCOMM_MSC);
981 mcc->len = __len8(sizeof(*msc));
982
983 msc = (void *) ptr; ptr += sizeof(*msc);
984 msc->dlci = __addr(1, dlci);
985 msc->v24_sig = v24_sig | 0x01;
986
987 *ptr = __fcs(buf); ptr++;
988
989 return rfcomm_send_frame(s, buf, ptr - buf);
990 }
991
992 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
993 {
994 struct rfcomm_hdr *hdr;
995 struct rfcomm_mcc *mcc;
996 u8 buf[16], *ptr = buf;
997
998 BT_DBG("%p cr %d", s, cr);
999
1000 hdr = (void *) ptr; ptr += sizeof(*hdr);
1001 hdr->addr = __addr(s->initiator, 0);
1002 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1003 hdr->len = __len8(sizeof(*mcc));
1004
1005 mcc = (void *) ptr; ptr += sizeof(*mcc);
1006 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1007 mcc->len = __len8(0);
1008
1009 *ptr = __fcs(buf); ptr++;
1010
1011 return rfcomm_send_frame(s, buf, ptr - buf);
1012 }
1013
1014 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1015 {
1016 struct rfcomm_hdr *hdr;
1017 struct rfcomm_mcc *mcc;
1018 u8 buf[16], *ptr = buf;
1019
1020 BT_DBG("%p cr %d", s, cr);
1021
1022 hdr = (void *) ptr; ptr += sizeof(*hdr);
1023 hdr->addr = __addr(s->initiator, 0);
1024 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1025 hdr->len = __len8(sizeof(*mcc));
1026
1027 mcc = (void *) ptr; ptr += sizeof(*mcc);
1028 mcc->type = __mcc_type(cr, RFCOMM_FCON);
1029 mcc->len = __len8(0);
1030
1031 *ptr = __fcs(buf); ptr++;
1032
1033 return rfcomm_send_frame(s, buf, ptr - buf);
1034 }
1035
1036 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1037 {
1038 struct socket *sock = s->sock;
1039 struct kvec iv[3];
1040 struct msghdr msg;
1041 unsigned char hdr[5], crc[1];
1042
1043 if (len > 125)
1044 return -EINVAL;
1045
1046 BT_DBG("%p cr %d", s, cr);
1047
1048 hdr[0] = __addr(s->initiator, 0);
1049 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1050 hdr[2] = 0x01 | ((len + 2) << 1);
1051 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1052 hdr[4] = 0x01 | (len << 1);
1053
1054 crc[0] = __fcs(hdr);
1055
1056 iv[0].iov_base = hdr;
1057 iv[0].iov_len = 5;
1058 iv[1].iov_base = pattern;
1059 iv[1].iov_len = len;
1060 iv[2].iov_base = crc;
1061 iv[2].iov_len = 1;
1062
1063 memset(&msg, 0, sizeof(msg));
1064
1065 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1066 }
1067
1068 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1069 {
1070 struct rfcomm_hdr *hdr;
1071 u8 buf[16], *ptr = buf;
1072
1073 BT_DBG("%p addr %d credits %d", s, addr, credits);
1074
1075 hdr = (void *) ptr; ptr += sizeof(*hdr);
1076 hdr->addr = addr;
1077 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1078 hdr->len = __len8(0);
1079
1080 *ptr = credits; ptr++;
1081
1082 *ptr = __fcs(buf); ptr++;
1083
1084 return rfcomm_send_frame(s, buf, ptr - buf);
1085 }
1086
1087 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1088 {
1089 struct rfcomm_hdr *hdr;
1090 int len = skb->len;
1091 u8 *crc;
1092
1093 if (len > 127) {
1094 hdr = (void *) skb_push(skb, 4);
1095 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1096 } else {
1097 hdr = (void *) skb_push(skb, 3);
1098 hdr->len = __len8(len);
1099 }
1100 hdr->addr = addr;
1101 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1102
1103 crc = skb_put(skb, 1);
1104 *crc = __fcs((void *) hdr);
1105 }
1106
1107 /* ---- RFCOMM frame reception ---- */
1108 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1109 {
1110 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1111
1112 if (dlci) {
1113 /* Data channel */
1114 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1115 if (!d) {
1116 rfcomm_send_dm(s, dlci);
1117 return 0;
1118 }
1119
1120 switch (d->state) {
1121 case BT_CONNECT:
1122 rfcomm_dlc_clear_timer(d);
1123
1124 rfcomm_dlc_lock(d);
1125 d->state = BT_CONNECTED;
1126 d->state_change(d, 0);
1127 rfcomm_dlc_unlock(d);
1128
1129 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1130 break;
1131
1132 case BT_DISCONN:
1133 d->state = BT_CLOSED;
1134 __rfcomm_dlc_close(d, 0);
1135
1136 if (list_empty(&s->dlcs)) {
1137 s->state = BT_DISCONN;
1138 rfcomm_send_disc(s, 0);
1139 rfcomm_session_clear_timer(s);
1140 }
1141
1142 break;
1143 }
1144 } else {
1145 /* Control channel */
1146 switch (s->state) {
1147 case BT_CONNECT:
1148 s->state = BT_CONNECTED;
1149 rfcomm_process_connect(s);
1150 break;
1151
1152 case BT_DISCONN:
1153 /* rfcomm_session_put is called later so don't do
1154 * anything here otherwise we will mess up the session
1155 * reference counter:
1156 *
1157 * (a) when we are the initiator dlc_unlink will drive
1158 * the reference counter to 0 (there is no initial put
1159 * after session_add)
1160 *
1161 * (b) when we are not the initiator rfcomm_rx_process
1162 * will explicitly call put to balance the initial hold
1163 * done after session add.
1164 */
1165 break;
1166 }
1167 }
1168 return 0;
1169 }
1170
1171 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1172 {
1173 int err = 0;
1174
1175 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1176
1177 if (dlci) {
1178 /* Data DLC */
1179 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1180 if (d) {
1181 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1182 err = ECONNREFUSED;
1183 else
1184 err = ECONNRESET;
1185
1186 d->state = BT_CLOSED;
1187 __rfcomm_dlc_close(d, err);
1188 }
1189 } else {
1190 if (s->state == BT_CONNECT)
1191 err = ECONNREFUSED;
1192 else
1193 err = ECONNRESET;
1194
1195 s->state = BT_CLOSED;
1196 rfcomm_session_close(s, err);
1197 }
1198 return 0;
1199 }
1200
1201 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1202 {
1203 int err = 0;
1204
1205 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1206
1207 if (dlci) {
1208 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1209 if (d) {
1210 rfcomm_send_ua(s, dlci);
1211
1212 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1213 err = ECONNREFUSED;
1214 else
1215 err = ECONNRESET;
1216
1217 d->state = BT_CLOSED;
1218 __rfcomm_dlc_close(d, err);
1219 } else
1220 rfcomm_send_dm(s, dlci);
1221
1222 } else {
1223 rfcomm_send_ua(s, 0);
1224
1225 if (s->state == BT_CONNECT)
1226 err = ECONNREFUSED;
1227 else
1228 err = ECONNRESET;
1229
1230 s->state = BT_CLOSED;
1231 rfcomm_session_close(s, err);
1232 }
1233
1234 return 0;
1235 }
1236
1237 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1238 {
1239 struct sock *sk = d->session->sock->sk;
1240 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1241
1242 BT_DBG("dlc %p", d);
1243
1244 rfcomm_send_ua(d->session, d->dlci);
1245
1246 rfcomm_dlc_clear_timer(d);
1247
1248 rfcomm_dlc_lock(d);
1249 d->state = BT_CONNECTED;
1250 d->state_change(d, 0);
1251 rfcomm_dlc_unlock(d);
1252
1253 if (d->role_switch)
1254 hci_conn_switch_role(conn->hcon, 0x00);
1255
1256 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1257 }
1258
1259 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1260 {
1261 if (rfcomm_check_security(d)) {
1262 if (d->defer_setup) {
1263 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1264 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1265
1266 rfcomm_dlc_lock(d);
1267 d->state = BT_CONNECT2;
1268 d->state_change(d, 0);
1269 rfcomm_dlc_unlock(d);
1270 } else
1271 rfcomm_dlc_accept(d);
1272 } else {
1273 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1274 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1275 }
1276 }
1277
1278 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1279 {
1280 struct rfcomm_dlc *d;
1281 u8 channel;
1282
1283 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1284
1285 if (!dlci) {
1286 rfcomm_send_ua(s, 0);
1287
1288 if (s->state == BT_OPEN) {
1289 s->state = BT_CONNECTED;
1290 rfcomm_process_connect(s);
1291 }
1292 return 0;
1293 }
1294
1295 /* Check if DLC exists */
1296 d = rfcomm_dlc_get(s, dlci);
1297 if (d) {
1298 if (d->state == BT_OPEN) {
1299 /* DLC was previously opened by PN request */
1300 rfcomm_check_accept(d);
1301 }
1302 return 0;
1303 }
1304
1305 /* Notify socket layer about incoming connection */
1306 channel = __srv_channel(dlci);
1307 if (rfcomm_connect_ind(s, channel, &d)) {
1308 d->dlci = dlci;
1309 d->addr = __addr(s->initiator, dlci);
1310 rfcomm_dlc_link(s, d);
1311
1312 rfcomm_check_accept(d);
1313 } else {
1314 rfcomm_send_dm(s, dlci);
1315 }
1316
1317 return 0;
1318 }
1319
1320 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1321 {
1322 struct rfcomm_session *s = d->session;
1323
1324 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1325 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1326
1327 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1328 pn->flow_ctrl == 0xe0) {
1329 d->cfc = RFCOMM_CFC_ENABLED;
1330 d->tx_credits = pn->credits;
1331 } else {
1332 d->cfc = RFCOMM_CFC_DISABLED;
1333 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1334 }
1335
1336 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1337 s->cfc = d->cfc;
1338
1339 d->priority = pn->priority;
1340
1341 d->mtu = __le16_to_cpu(pn->mtu);
1342
1343 if (cr && d->mtu > s->mtu)
1344 d->mtu = s->mtu;
1345
1346 return 0;
1347 }
1348
1349 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1350 {
1351 struct rfcomm_pn *pn = (void *) skb->data;
1352 struct rfcomm_dlc *d;
1353 u8 dlci = pn->dlci;
1354
1355 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1356
1357 if (!dlci)
1358 return 0;
1359
1360 d = rfcomm_dlc_get(s, dlci);
1361 if (d) {
1362 if (cr) {
1363 /* PN request */
1364 rfcomm_apply_pn(d, cr, pn);
1365 rfcomm_send_pn(s, 0, d);
1366 } else {
1367 /* PN response */
1368 switch (d->state) {
1369 case BT_CONFIG:
1370 rfcomm_apply_pn(d, cr, pn);
1371
1372 d->state = BT_CONNECT;
1373 rfcomm_send_sabm(s, d->dlci);
1374 break;
1375 }
1376 }
1377 } else {
1378 u8 channel = __srv_channel(dlci);
1379
1380 if (!cr)
1381 return 0;
1382
1383 /* PN request for non existing DLC.
1384 * Assume incoming connection. */
1385 if (rfcomm_connect_ind(s, channel, &d)) {
1386 d->dlci = dlci;
1387 d->addr = __addr(s->initiator, dlci);
1388 rfcomm_dlc_link(s, d);
1389
1390 rfcomm_apply_pn(d, cr, pn);
1391
1392 d->state = BT_OPEN;
1393 rfcomm_send_pn(s, 0, d);
1394 } else {
1395 rfcomm_send_dm(s, dlci);
1396 }
1397 }
1398 return 0;
1399 }
1400
1401 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1402 {
1403 struct rfcomm_rpn *rpn = (void *) skb->data;
1404 u8 dlci = __get_dlci(rpn->dlci);
1405
1406 u8 bit_rate = 0;
1407 u8 data_bits = 0;
1408 u8 stop_bits = 0;
1409 u8 parity = 0;
1410 u8 flow_ctrl = 0;
1411 u8 xon_char = 0;
1412 u8 xoff_char = 0;
1413 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1414
1415 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1416 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1417 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1418
1419 if (!cr)
1420 return 0;
1421
1422 if (len == 1) {
1423 /* This is a request, return default (according to ETSI TS 07.10) settings */
1424 bit_rate = RFCOMM_RPN_BR_9600;
1425 data_bits = RFCOMM_RPN_DATA_8;
1426 stop_bits = RFCOMM_RPN_STOP_1;
1427 parity = RFCOMM_RPN_PARITY_NONE;
1428 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1429 xon_char = RFCOMM_RPN_XON_CHAR;
1430 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1431 goto rpn_out;
1432 }
1433
1434 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1435 * no parity, no flow control lines, normal XON/XOFF chars */
1436
1437 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1438 bit_rate = rpn->bit_rate;
1439 if (bit_rate > RFCOMM_RPN_BR_230400) {
1440 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1441 bit_rate = RFCOMM_RPN_BR_9600;
1442 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1443 }
1444 }
1445
1446 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1447 data_bits = __get_rpn_data_bits(rpn->line_settings);
1448 if (data_bits != RFCOMM_RPN_DATA_8) {
1449 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1450 data_bits = RFCOMM_RPN_DATA_8;
1451 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1452 }
1453 }
1454
1455 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1456 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1457 if (stop_bits != RFCOMM_RPN_STOP_1) {
1458 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1459 stop_bits = RFCOMM_RPN_STOP_1;
1460 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1461 }
1462 }
1463
1464 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1465 parity = __get_rpn_parity(rpn->line_settings);
1466 if (parity != RFCOMM_RPN_PARITY_NONE) {
1467 BT_DBG("RPN parity mismatch 0x%x", parity);
1468 parity = RFCOMM_RPN_PARITY_NONE;
1469 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1470 }
1471 }
1472
1473 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1474 flow_ctrl = rpn->flow_ctrl;
1475 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1476 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1477 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1478 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1479 }
1480 }
1481
1482 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1483 xon_char = rpn->xon_char;
1484 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1485 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1486 xon_char = RFCOMM_RPN_XON_CHAR;
1487 rpn_mask ^= RFCOMM_RPN_PM_XON;
1488 }
1489 }
1490
1491 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1492 xoff_char = rpn->xoff_char;
1493 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1494 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1495 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1496 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1497 }
1498 }
1499
1500 rpn_out:
1501 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1502 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1503
1504 return 0;
1505 }
1506
1507 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1508 {
1509 struct rfcomm_rls *rls = (void *) skb->data;
1510 u8 dlci = __get_dlci(rls->dlci);
1511
1512 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1513
1514 if (!cr)
1515 return 0;
1516
1517 /* We should probably do something with this information here. But
1518 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1519 * mandatory to recognise and respond to RLS */
1520
1521 rfcomm_send_rls(s, 0, dlci, rls->status);
1522
1523 return 0;
1524 }
1525
1526 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1527 {
1528 struct rfcomm_msc *msc = (void *) skb->data;
1529 struct rfcomm_dlc *d;
1530 u8 dlci = __get_dlci(msc->dlci);
1531
1532 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1533
1534 d = rfcomm_dlc_get(s, dlci);
1535 if (!d)
1536 return 0;
1537
1538 if (cr) {
1539 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1540 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1541 else
1542 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1543
1544 rfcomm_dlc_lock(d);
1545
1546 d->remote_v24_sig = msc->v24_sig;
1547
1548 if (d->modem_status)
1549 d->modem_status(d, msc->v24_sig);
1550
1551 rfcomm_dlc_unlock(d);
1552
1553 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1554
1555 d->mscex |= RFCOMM_MSCEX_RX;
1556 } else
1557 d->mscex |= RFCOMM_MSCEX_TX;
1558
1559 return 0;
1560 }
1561
1562 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1563 {
1564 struct rfcomm_mcc *mcc = (void *) skb->data;
1565 u8 type, cr, len;
1566
1567 cr = __test_cr(mcc->type);
1568 type = __get_mcc_type(mcc->type);
1569 len = __get_mcc_len(mcc->len);
1570
1571 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1572
1573 skb_pull(skb, 2);
1574
1575 switch (type) {
1576 case RFCOMM_PN:
1577 rfcomm_recv_pn(s, cr, skb);
1578 break;
1579
1580 case RFCOMM_RPN:
1581 rfcomm_recv_rpn(s, cr, len, skb);
1582 break;
1583
1584 case RFCOMM_RLS:
1585 rfcomm_recv_rls(s, cr, skb);
1586 break;
1587
1588 case RFCOMM_MSC:
1589 rfcomm_recv_msc(s, cr, skb);
1590 break;
1591
1592 case RFCOMM_FCOFF:
1593 if (cr) {
1594 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1595 rfcomm_send_fcoff(s, 0);
1596 }
1597 break;
1598
1599 case RFCOMM_FCON:
1600 if (cr) {
1601 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1602 rfcomm_send_fcon(s, 0);
1603 }
1604 break;
1605
1606 case RFCOMM_TEST:
1607 if (cr)
1608 rfcomm_send_test(s, 0, skb->data, skb->len);
1609 break;
1610
1611 case RFCOMM_NSC:
1612 break;
1613
1614 default:
1615 BT_ERR("Unknown control type 0x%02x", type);
1616 rfcomm_send_nsc(s, cr, type);
1617 break;
1618 }
1619 return 0;
1620 }
1621
1622 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1623 {
1624 struct rfcomm_dlc *d;
1625
1626 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1627
1628 d = rfcomm_dlc_get(s, dlci);
1629 if (!d) {
1630 rfcomm_send_dm(s, dlci);
1631 goto drop;
1632 }
1633
1634 if (pf && d->cfc) {
1635 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1636
1637 d->tx_credits += credits;
1638 if (d->tx_credits)
1639 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1640 }
1641
1642 if (skb->len && d->state == BT_CONNECTED) {
1643 rfcomm_dlc_lock(d);
1644 d->rx_credits--;
1645 d->data_ready(d, skb);
1646 rfcomm_dlc_unlock(d);
1647 return 0;
1648 }
1649
1650 drop:
1651 kfree_skb(skb);
1652 return 0;
1653 }
1654
1655 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1656 {
1657 struct rfcomm_hdr *hdr = (void *) skb->data;
1658 u8 type, dlci, fcs;
1659
1660 dlci = __get_dlci(hdr->addr);
1661 type = __get_type(hdr->ctrl);
1662
1663 /* Trim FCS */
1664 skb->len--; skb->tail--;
1665 fcs = *(u8 *)skb_tail_pointer(skb);
1666
1667 if (__check_fcs(skb->data, type, fcs)) {
1668 BT_ERR("bad checksum in packet");
1669 kfree_skb(skb);
1670 return -EILSEQ;
1671 }
1672
1673 if (__test_ea(hdr->len))
1674 skb_pull(skb, 3);
1675 else
1676 skb_pull(skb, 4);
1677
1678 switch (type) {
1679 case RFCOMM_SABM:
1680 if (__test_pf(hdr->ctrl))
1681 rfcomm_recv_sabm(s, dlci);
1682 break;
1683
1684 case RFCOMM_DISC:
1685 if (__test_pf(hdr->ctrl))
1686 rfcomm_recv_disc(s, dlci);
1687 break;
1688
1689 case RFCOMM_UA:
1690 if (__test_pf(hdr->ctrl))
1691 rfcomm_recv_ua(s, dlci);
1692 break;
1693
1694 case RFCOMM_DM:
1695 rfcomm_recv_dm(s, dlci);
1696 break;
1697
1698 case RFCOMM_UIH:
1699 if (dlci)
1700 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1701
1702 rfcomm_recv_mcc(s, skb);
1703 break;
1704
1705 default:
1706 BT_ERR("Unknown packet type 0x%02x", type);
1707 break;
1708 }
1709 kfree_skb(skb);
1710 return 0;
1711 }
1712
1713 /* ---- Connection and data processing ---- */
1714
1715 static void rfcomm_process_connect(struct rfcomm_session *s)
1716 {
1717 struct rfcomm_dlc *d;
1718 struct list_head *p, *n;
1719
1720 BT_DBG("session %p state %ld", s, s->state);
1721
1722 list_for_each_safe(p, n, &s->dlcs) {
1723 d = list_entry(p, struct rfcomm_dlc, list);
1724 if (d->state == BT_CONFIG) {
1725 d->mtu = s->mtu;
1726 if (rfcomm_check_security(d)) {
1727 rfcomm_send_pn(s, 1, d);
1728 } else {
1729 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1730 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1731 }
1732 }
1733 }
1734 }
1735
1736 /* Send data queued for the DLC.
1737 * Return number of frames left in the queue.
1738 */
1739 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1740 {
1741 struct sk_buff *skb;
1742 int err;
1743
1744 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1745 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1746
1747 /* Send pending MSC */
1748 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1749 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1750
1751 if (d->cfc) {
1752 /* CFC enabled.
1753 * Give them some credits */
1754 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1755 d->rx_credits <= (d->cfc >> 2)) {
1756 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1757 d->rx_credits = d->cfc;
1758 }
1759 } else {
1760 /* CFC disabled.
1761 * Give ourselves some credits */
1762 d->tx_credits = 5;
1763 }
1764
1765 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1766 return skb_queue_len(&d->tx_queue);
1767
1768 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1769 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1770 if (err < 0) {
1771 skb_queue_head(&d->tx_queue, skb);
1772 break;
1773 }
1774 kfree_skb(skb);
1775 d->tx_credits--;
1776 }
1777
1778 if (d->cfc && !d->tx_credits) {
1779 /* We're out of TX credits.
1780 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1781 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1782 }
1783
1784 return skb_queue_len(&d->tx_queue);
1785 }
1786
1787 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1788 {
1789 struct rfcomm_dlc *d;
1790 struct list_head *p, *n;
1791
1792 BT_DBG("session %p state %ld", s, s->state);
1793
1794 list_for_each_safe(p, n, &s->dlcs) {
1795 d = list_entry(p, struct rfcomm_dlc, list);
1796
1797 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1798 __rfcomm_dlc_close(d, ETIMEDOUT);
1799 continue;
1800 }
1801
1802 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1803 __rfcomm_dlc_close(d, ECONNREFUSED);
1804 continue;
1805 }
1806
1807 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1808 rfcomm_dlc_clear_timer(d);
1809 if (d->out) {
1810 rfcomm_send_pn(s, 1, d);
1811 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1812 } else {
1813 if (d->defer_setup) {
1814 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1815 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1816
1817 rfcomm_dlc_lock(d);
1818 d->state = BT_CONNECT2;
1819 d->state_change(d, 0);
1820 rfcomm_dlc_unlock(d);
1821 } else
1822 rfcomm_dlc_accept(d);
1823 }
1824 continue;
1825 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1826 rfcomm_dlc_clear_timer(d);
1827 if (!d->out)
1828 rfcomm_send_dm(s, d->dlci);
1829 else
1830 d->state = BT_CLOSED;
1831 __rfcomm_dlc_close(d, ECONNREFUSED);
1832 continue;
1833 }
1834
1835 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1836 continue;
1837
1838 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1839 continue;
1840
1841 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1842 d->mscex == RFCOMM_MSCEX_OK)
1843 rfcomm_process_tx(d);
1844 }
1845 }
1846
1847 static void rfcomm_process_rx(struct rfcomm_session *s)
1848 {
1849 struct socket *sock = s->sock;
1850 struct sock *sk = sock->sk;
1851 struct sk_buff *skb;
1852
1853 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1854
1855 /* Get data directly from socket receive queue without copying it. */
1856 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1857 skb_orphan(skb);
1858 if (!skb_linearize(skb))
1859 rfcomm_recv_frame(s, skb);
1860 else
1861 kfree_skb(skb);
1862 }
1863
1864 if (sk->sk_state == BT_CLOSED) {
1865 if (!s->initiator)
1866 rfcomm_session_put(s);
1867
1868 rfcomm_session_close(s, sk->sk_err);
1869 }
1870 }
1871
1872 static void rfcomm_accept_connection(struct rfcomm_session *s)
1873 {
1874 struct socket *sock = s->sock, *nsock;
1875 int err;
1876
1877 /* Fast check for a new connection.
1878 * Avoids unnesesary socket allocations. */
1879 if (list_empty(&bt_sk(sock->sk)->accept_q))
1880 return;
1881
1882 BT_DBG("session %p", s);
1883
1884 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1885 if (err < 0)
1886 return;
1887
1888 /* Set our callbacks */
1889 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1890 nsock->sk->sk_state_change = rfcomm_l2state_change;
1891
1892 s = rfcomm_session_add(nsock, BT_OPEN);
1893 if (s) {
1894 rfcomm_session_hold(s);
1895
1896 /* We should adjust MTU on incoming sessions.
1897 * L2CAP MTU minus UIH header and FCS. */
1898 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1899 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1900
1901 rfcomm_schedule();
1902 } else
1903 sock_release(nsock);
1904 }
1905
1906 static void rfcomm_check_connection(struct rfcomm_session *s)
1907 {
1908 struct sock *sk = s->sock->sk;
1909
1910 BT_DBG("%p state %ld", s, s->state);
1911
1912 switch (sk->sk_state) {
1913 case BT_CONNECTED:
1914 s->state = BT_CONNECT;
1915
1916 /* We can adjust MTU on outgoing sessions.
1917 * L2CAP MTU minus UIH header and FCS. */
1918 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1919
1920 rfcomm_send_sabm(s, 0);
1921 break;
1922
1923 case BT_CLOSED:
1924 s->state = BT_CLOSED;
1925 rfcomm_session_close(s, sk->sk_err);
1926 break;
1927 }
1928 }
1929
1930 static void rfcomm_process_sessions(void)
1931 {
1932 struct list_head *p, *n;
1933
1934 rfcomm_lock();
1935
1936 list_for_each_safe(p, n, &session_list) {
1937 struct rfcomm_session *s;
1938 s = list_entry(p, struct rfcomm_session, list);
1939
1940 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1941 s->state = BT_DISCONN;
1942 rfcomm_send_disc(s, 0);
1943 rfcomm_session_put(s);
1944 continue;
1945 }
1946
1947 if (s->state == BT_LISTEN) {
1948 rfcomm_accept_connection(s);
1949 continue;
1950 }
1951
1952 rfcomm_session_hold(s);
1953
1954 switch (s->state) {
1955 case BT_BOUND:
1956 rfcomm_check_connection(s);
1957 break;
1958
1959 default:
1960 rfcomm_process_rx(s);
1961 break;
1962 }
1963
1964 rfcomm_process_dlcs(s);
1965
1966 rfcomm_session_put(s);
1967 }
1968
1969 rfcomm_unlock();
1970 }
1971
1972 static int rfcomm_add_listener(bdaddr_t *ba)
1973 {
1974 struct sockaddr_l2 addr;
1975 struct socket *sock;
1976 struct sock *sk;
1977 struct rfcomm_session *s;
1978 int err = 0;
1979
1980 /* Create socket */
1981 err = rfcomm_l2sock_create(&sock);
1982 if (err < 0) {
1983 BT_ERR("Create socket failed %d", err);
1984 return err;
1985 }
1986
1987 /* Bind socket */
1988 bacpy(&addr.l2_bdaddr, ba);
1989 addr.l2_family = AF_BLUETOOTH;
1990 addr.l2_psm = cpu_to_le16(RFCOMM_PSM);
1991 addr.l2_cid = 0;
1992 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1993 if (err < 0) {
1994 BT_ERR("Bind failed %d", err);
1995 goto failed;
1996 }
1997
1998 /* Set L2CAP options */
1999 sk = sock->sk;
2000 lock_sock(sk);
2001 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2002 release_sock(sk);
2003
2004 /* Start listening on the socket */
2005 err = kernel_listen(sock, 10);
2006 if (err) {
2007 BT_ERR("Listen failed %d", err);
2008 goto failed;
2009 }
2010
2011 /* Add listening session */
2012 s = rfcomm_session_add(sock, BT_LISTEN);
2013 if (!s)
2014 goto failed;
2015
2016 rfcomm_session_hold(s);
2017 return 0;
2018 failed:
2019 sock_release(sock);
2020 return err;
2021 }
2022
2023 static void rfcomm_kill_listener(void)
2024 {
2025 struct rfcomm_session *s;
2026 struct list_head *p, *n;
2027
2028 BT_DBG("");
2029
2030 list_for_each_safe(p, n, &session_list) {
2031 s = list_entry(p, struct rfcomm_session, list);
2032 rfcomm_session_del(s);
2033 }
2034 }
2035
2036 static int rfcomm_run(void *unused)
2037 {
2038 BT_DBG("");
2039
2040 set_user_nice(current, -10);
2041
2042 rfcomm_add_listener(BDADDR_ANY);
2043
2044 while (1) {
2045 set_current_state(TASK_INTERRUPTIBLE);
2046
2047 if (kthread_should_stop())
2048 break;
2049
2050 /* Process stuff */
2051 rfcomm_process_sessions();
2052
2053 schedule();
2054 }
2055 __set_current_state(TASK_RUNNING);
2056
2057 rfcomm_kill_listener();
2058
2059 return 0;
2060 }
2061
2062 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2063 {
2064 struct rfcomm_session *s;
2065 struct rfcomm_dlc *d;
2066 struct list_head *p, *n;
2067
2068 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2069
2070 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2071 if (!s)
2072 return;
2073
2074 rfcomm_session_hold(s);
2075
2076 list_for_each_safe(p, n, &s->dlcs) {
2077 d = list_entry(p, struct rfcomm_dlc, list);
2078
2079 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2080 rfcomm_dlc_clear_timer(d);
2081 if (status || encrypt == 0x00) {
2082 set_bit(RFCOMM_ENC_DROP, &d->flags);
2083 continue;
2084 }
2085 }
2086
2087 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2088 if (d->sec_level == BT_SECURITY_MEDIUM) {
2089 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2090 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2091 continue;
2092 } else if (d->sec_level == BT_SECURITY_HIGH) {
2093 set_bit(RFCOMM_ENC_DROP, &d->flags);
2094 continue;
2095 }
2096 }
2097
2098 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2099 continue;
2100
2101 if (!status && hci_conn_check_secure(conn, d->sec_level))
2102 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2103 else
2104 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2105 }
2106
2107 rfcomm_session_put(s);
2108
2109 rfcomm_schedule();
2110 }
2111
2112 static struct hci_cb rfcomm_cb = {
2113 .name = "RFCOMM",
2114 .security_cfm = rfcomm_security_cfm
2115 };
2116
2117 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2118 {
2119 struct rfcomm_session *s;
2120
2121 rfcomm_lock();
2122
2123 list_for_each_entry(s, &session_list, list) {
2124 struct rfcomm_dlc *d;
2125 list_for_each_entry(d, &s->dlcs, list) {
2126 struct sock *sk = s->sock->sk;
2127
2128 seq_printf(f, "%s %s %ld %d %d %d %d\n",
2129 batostr(&bt_sk(sk)->src),
2130 batostr(&bt_sk(sk)->dst),
2131 d->state, d->dlci, d->mtu,
2132 d->rx_credits, d->tx_credits);
2133 }
2134 }
2135
2136 rfcomm_unlock();
2137
2138 return 0;
2139 }
2140
2141 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2142 {
2143 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2144 }
2145
2146 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2147 .open = rfcomm_dlc_debugfs_open,
2148 .read = seq_read,
2149 .llseek = seq_lseek,
2150 .release = single_release,
2151 };
2152
2153 static struct dentry *rfcomm_dlc_debugfs;
2154
2155 /* ---- Initialization ---- */
2156 static int __init rfcomm_init(void)
2157 {
2158 int err;
2159
2160 hci_register_cb(&rfcomm_cb);
2161
2162 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2163 if (IS_ERR(rfcomm_thread)) {
2164 err = PTR_ERR(rfcomm_thread);
2165 goto unregister;
2166 }
2167
2168 if (bt_debugfs) {
2169 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2170 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2171 if (!rfcomm_dlc_debugfs)
2172 BT_ERR("Failed to create RFCOMM debug file");
2173 }
2174
2175 err = rfcomm_init_ttys();
2176 if (err < 0)
2177 goto stop;
2178
2179 err = rfcomm_init_sockets();
2180 if (err < 0)
2181 goto cleanup;
2182
2183 BT_INFO("RFCOMM ver %s", VERSION);
2184
2185 return 0;
2186
2187 cleanup:
2188 rfcomm_cleanup_ttys();
2189
2190 stop:
2191 kthread_stop(rfcomm_thread);
2192
2193 unregister:
2194 hci_unregister_cb(&rfcomm_cb);
2195
2196 return err;
2197 }
2198
2199 static void __exit rfcomm_exit(void)
2200 {
2201 debugfs_remove(rfcomm_dlc_debugfs);
2202
2203 hci_unregister_cb(&rfcomm_cb);
2204
2205 kthread_stop(rfcomm_thread);
2206
2207 rfcomm_cleanup_ttys();
2208
2209 rfcomm_cleanup_sockets();
2210 }
2211
2212 module_init(rfcomm_init);
2213 module_exit(rfcomm_exit);
2214
2215 module_param(disable_cfc, bool, 0644);
2216 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2217
2218 module_param(channel_mtu, int, 0644);
2219 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2220
2221 module_param(l2cap_mtu, uint, 0644);
2222 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2223
2224 module_param(l2cap_ertm, bool, 0644);
2225 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2226
2227 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2228 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2229 MODULE_VERSION(VERSION);
2230 MODULE_LICENSE("GPL");
2231 MODULE_ALIAS("bt-proto-3");
Linux with added FPC-III support