Loading...
1/*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22*/
23
24/*
25 * Bluetooth RFCOMM core.
26 */
27
28#include <linux/module.h>
29#include <linux/errno.h>
30#include <linux/kernel.h>
31#include <linux/sched.h>
32#include <linux/signal.h>
33#include <linux/init.h>
34#include <linux/wait.h>
35#include <linux/device.h>
36#include <linux/debugfs.h>
37#include <linux/seq_file.h>
38#include <linux/net.h>
39#include <linux/mutex.h>
40#include <linux/kthread.h>
41#include <linux/slab.h>
42
43#include <net/sock.h>
44#include <linux/uaccess.h>
45#include <asm/unaligned.h>
46
47#include <net/bluetooth/bluetooth.h>
48#include <net/bluetooth/hci_core.h>
49#include <net/bluetooth/l2cap.h>
50#include <net/bluetooth/rfcomm.h>
51
52#define VERSION "1.11"
53
54static int disable_cfc;
55static int l2cap_ertm;
56static int channel_mtu = -1;
57static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
58
59static struct task_struct *rfcomm_thread;
60
61static DEFINE_MUTEX(rfcomm_mutex);
62#define rfcomm_lock() mutex_lock(&rfcomm_mutex)
63#define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
64
65
66static LIST_HEAD(session_list);
67
68static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
69static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
70static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
71static int rfcomm_queue_disc(struct rfcomm_dlc *d);
72static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
73static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
74static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
75static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
76static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
77static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
78
79static void rfcomm_process_connect(struct rfcomm_session *s);
80
81static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
82 bdaddr_t *dst,
83 u8 sec_level,
84 int *err);
85static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
86static void rfcomm_session_del(struct rfcomm_session *s);
87
88/* ---- RFCOMM frame parsing macros ---- */
89#define __get_dlci(b) ((b & 0xfc) >> 2)
90#define __get_channel(b) ((b & 0xf8) >> 3)
91#define __get_dir(b) ((b & 0x04) >> 2)
92#define __get_type(b) ((b & 0xef))
93
94#define __test_ea(b) ((b & 0x01))
95#define __test_cr(b) ((b & 0x02))
96#define __test_pf(b) ((b & 0x10))
97
98#define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
99#define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
100#define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
101#define __srv_channel(dlci) (dlci >> 1)
102#define __dir(dlci) (dlci & 0x01)
103
104#define __len8(len) (((len) << 1) | 1)
105#define __len16(len) ((len) << 1)
106
107/* MCC macros */
108#define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
109#define __get_mcc_type(b) ((b & 0xfc) >> 2)
110#define __get_mcc_len(b) ((b & 0xfe) >> 1)
111
112/* RPN macros */
113#define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
114#define __get_rpn_data_bits(line) ((line) & 0x3)
115#define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
116#define __get_rpn_parity(line) (((line) >> 3) & 0x7)
117
118static inline void rfcomm_schedule(void)
119{
120 if (!rfcomm_thread)
121 return;
122 wake_up_process(rfcomm_thread);
123}
124
125static inline void rfcomm_session_put(struct rfcomm_session *s)
126{
127 if (atomic_dec_and_test(&s->refcnt))
128 rfcomm_session_del(s);
129}
130
131/* ---- RFCOMM FCS computation ---- */
132
133/* reversed, 8-bit, poly=0x07 */
134static unsigned char rfcomm_crc_table[256] = {
135 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
136 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
137 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
138 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
139
140 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
141 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
142 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
143 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
144
145 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
146 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
147 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
148 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
149
150 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
151 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
152 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
153 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
154
155 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
156 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
157 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
158 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
159
160 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
161 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
162 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
163 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
164
165 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
166 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
167 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
168 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
169
170 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
171 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
172 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
173 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
174};
175
176/* CRC on 2 bytes */
177#define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
178
179/* FCS on 2 bytes */
180static inline u8 __fcs(u8 *data)
181{
182 return 0xff - __crc(data);
183}
184
185/* FCS on 3 bytes */
186static inline u8 __fcs2(u8 *data)
187{
188 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
189}
190
191/* Check FCS */
192static inline int __check_fcs(u8 *data, int type, u8 fcs)
193{
194 u8 f = __crc(data);
195
196 if (type != RFCOMM_UIH)
197 f = rfcomm_crc_table[f ^ data[2]];
198
199 return rfcomm_crc_table[f ^ fcs] != 0xcf;
200}
201
202/* ---- L2CAP callbacks ---- */
203static void rfcomm_l2state_change(struct sock *sk)
204{
205 BT_DBG("%p state %d", sk, sk->sk_state);
206 rfcomm_schedule();
207}
208
209static void rfcomm_l2data_ready(struct sock *sk, int bytes)
210{
211 BT_DBG("%p bytes %d", sk, bytes);
212 rfcomm_schedule();
213}
214
215static int rfcomm_l2sock_create(struct socket **sock)
216{
217 int err;
218
219 BT_DBG("");
220
221 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
222 if (!err) {
223 struct sock *sk = (*sock)->sk;
224 sk->sk_data_ready = rfcomm_l2data_ready;
225 sk->sk_state_change = rfcomm_l2state_change;
226 }
227 return err;
228}
229
230static inline int rfcomm_check_security(struct rfcomm_dlc *d)
231{
232 struct sock *sk = d->session->sock->sk;
233 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
234
235 __u8 auth_type;
236
237 switch (d->sec_level) {
238 case BT_SECURITY_HIGH:
239 auth_type = HCI_AT_GENERAL_BONDING_MITM;
240 break;
241 case BT_SECURITY_MEDIUM:
242 auth_type = HCI_AT_GENERAL_BONDING;
243 break;
244 default:
245 auth_type = HCI_AT_NO_BONDING;
246 break;
247 }
248
249 return hci_conn_security(conn->hcon, d->sec_level, auth_type);
250}
251
252static void rfcomm_session_timeout(unsigned long arg)
253{
254 struct rfcomm_session *s = (void *) arg;
255
256 BT_DBG("session %p state %ld", s, s->state);
257
258 set_bit(RFCOMM_TIMED_OUT, &s->flags);
259 rfcomm_schedule();
260}
261
262static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
263{
264 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
265
266 if (!mod_timer(&s->timer, jiffies + timeout))
267 rfcomm_session_hold(s);
268}
269
270static void rfcomm_session_clear_timer(struct rfcomm_session *s)
271{
272 BT_DBG("session %p state %ld", s, s->state);
273
274 if (timer_pending(&s->timer) && del_timer(&s->timer))
275 rfcomm_session_put(s);
276}
277
278/* ---- RFCOMM DLCs ---- */
279static void rfcomm_dlc_timeout(unsigned long arg)
280{
281 struct rfcomm_dlc *d = (void *) arg;
282
283 BT_DBG("dlc %p state %ld", d, d->state);
284
285 set_bit(RFCOMM_TIMED_OUT, &d->flags);
286 rfcomm_dlc_put(d);
287 rfcomm_schedule();
288}
289
290static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
291{
292 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
293
294 if (!mod_timer(&d->timer, jiffies + timeout))
295 rfcomm_dlc_hold(d);
296}
297
298static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
299{
300 BT_DBG("dlc %p state %ld", d, d->state);
301
302 if (timer_pending(&d->timer) && del_timer(&d->timer))
303 rfcomm_dlc_put(d);
304}
305
306static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
307{
308 BT_DBG("%p", d);
309
310 d->state = BT_OPEN;
311 d->flags = 0;
312 d->mscex = 0;
313 d->sec_level = BT_SECURITY_LOW;
314 d->mtu = RFCOMM_DEFAULT_MTU;
315 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
316
317 d->cfc = RFCOMM_CFC_DISABLED;
318 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
319}
320
321struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
322{
323 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
324
325 if (!d)
326 return NULL;
327
328 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
329
330 skb_queue_head_init(&d->tx_queue);
331 spin_lock_init(&d->lock);
332 atomic_set(&d->refcnt, 1);
333
334 rfcomm_dlc_clear_state(d);
335
336 BT_DBG("%p", d);
337
338 return d;
339}
340
341void rfcomm_dlc_free(struct rfcomm_dlc *d)
342{
343 BT_DBG("%p", d);
344
345 skb_queue_purge(&d->tx_queue);
346 kfree(d);
347}
348
349static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
350{
351 BT_DBG("dlc %p session %p", d, s);
352
353 rfcomm_session_hold(s);
354
355 rfcomm_session_clear_timer(s);
356 rfcomm_dlc_hold(d);
357 list_add(&d->list, &s->dlcs);
358 d->session = s;
359}
360
361static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
362{
363 struct rfcomm_session *s = d->session;
364
365 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
366
367 list_del(&d->list);
368 d->session = NULL;
369 rfcomm_dlc_put(d);
370
371 if (list_empty(&s->dlcs))
372 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
373
374 rfcomm_session_put(s);
375}
376
377static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
378{
379 struct rfcomm_dlc *d;
380 struct list_head *p;
381
382 list_for_each(p, &s->dlcs) {
383 d = list_entry(p, struct rfcomm_dlc, list);
384 if (d->dlci == dlci)
385 return d;
386 }
387 return NULL;
388}
389
390static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
391{
392 struct rfcomm_session *s;
393 int err = 0;
394 u8 dlci;
395
396 BT_DBG("dlc %p state %ld %s %s channel %d",
397 d, d->state, batostr(src), batostr(dst), channel);
398
399 if (channel < 1 || channel > 30)
400 return -EINVAL;
401
402 if (d->state != BT_OPEN && d->state != BT_CLOSED)
403 return 0;
404
405 s = rfcomm_session_get(src, dst);
406 if (!s) {
407 s = rfcomm_session_create(src, dst, d->sec_level, &err);
408 if (!s)
409 return err;
410 }
411
412 dlci = __dlci(!s->initiator, channel);
413
414 /* Check if DLCI already exists */
415 if (rfcomm_dlc_get(s, dlci))
416 return -EBUSY;
417
418 rfcomm_dlc_clear_state(d);
419
420 d->dlci = dlci;
421 d->addr = __addr(s->initiator, dlci);
422 d->priority = 7;
423
424 d->state = BT_CONFIG;
425 rfcomm_dlc_link(s, d);
426
427 d->out = 1;
428
429 d->mtu = s->mtu;
430 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
431
432 if (s->state == BT_CONNECTED) {
433 if (rfcomm_check_security(d))
434 rfcomm_send_pn(s, 1, d);
435 else
436 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
437 }
438
439 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
440
441 return 0;
442}
443
444int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
445{
446 int r;
447
448 rfcomm_lock();
449
450 r = __rfcomm_dlc_open(d, src, dst, channel);
451
452 rfcomm_unlock();
453 return r;
454}
455
456static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
457{
458 struct rfcomm_session *s = d->session;
459 if (!s)
460 return 0;
461
462 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
463 d, d->state, d->dlci, err, s);
464
465 switch (d->state) {
466 case BT_CONNECT:
467 case BT_CONFIG:
468 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
469 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
470 rfcomm_schedule();
471 break;
472 }
473 /* Fall through */
474
475 case BT_CONNECTED:
476 d->state = BT_DISCONN;
477 if (skb_queue_empty(&d->tx_queue)) {
478 rfcomm_send_disc(s, d->dlci);
479 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
480 } else {
481 rfcomm_queue_disc(d);
482 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
483 }
484 break;
485
486 case BT_OPEN:
487 case BT_CONNECT2:
488 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
489 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
490 rfcomm_schedule();
491 break;
492 }
493 /* Fall through */
494
495 default:
496 rfcomm_dlc_clear_timer(d);
497
498 rfcomm_dlc_lock(d);
499 d->state = BT_CLOSED;
500 d->state_change(d, err);
501 rfcomm_dlc_unlock(d);
502
503 skb_queue_purge(&d->tx_queue);
504 rfcomm_dlc_unlink(d);
505 }
506
507 return 0;
508}
509
510int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
511{
512 int r;
513
514 rfcomm_lock();
515
516 r = __rfcomm_dlc_close(d, err);
517
518 rfcomm_unlock();
519 return r;
520}
521
522int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
523{
524 int len = skb->len;
525
526 if (d->state != BT_CONNECTED)
527 return -ENOTCONN;
528
529 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
530
531 if (len > d->mtu)
532 return -EINVAL;
533
534 rfcomm_make_uih(skb, d->addr);
535 skb_queue_tail(&d->tx_queue, skb);
536
537 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
538 rfcomm_schedule();
539 return len;
540}
541
542void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
543{
544 BT_DBG("dlc %p state %ld", d, d->state);
545
546 if (!d->cfc) {
547 d->v24_sig |= RFCOMM_V24_FC;
548 set_bit(RFCOMM_MSC_PENDING, &d->flags);
549 }
550 rfcomm_schedule();
551}
552
553void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
554{
555 BT_DBG("dlc %p state %ld", d, d->state);
556
557 if (!d->cfc) {
558 d->v24_sig &= ~RFCOMM_V24_FC;
559 set_bit(RFCOMM_MSC_PENDING, &d->flags);
560 }
561 rfcomm_schedule();
562}
563
564/*
565 Set/get modem status functions use _local_ status i.e. what we report
566 to the other side.
567 Remote status is provided by dlc->modem_status() callback.
568 */
569int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
570{
571 BT_DBG("dlc %p state %ld v24_sig 0x%x",
572 d, d->state, v24_sig);
573
574 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
575 v24_sig |= RFCOMM_V24_FC;
576 else
577 v24_sig &= ~RFCOMM_V24_FC;
578
579 d->v24_sig = v24_sig;
580
581 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
582 rfcomm_schedule();
583
584 return 0;
585}
586
587int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
588{
589 BT_DBG("dlc %p state %ld v24_sig 0x%x",
590 d, d->state, d->v24_sig);
591
592 *v24_sig = d->v24_sig;
593 return 0;
594}
595
596/* ---- RFCOMM sessions ---- */
597static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
598{
599 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
600
601 if (!s)
602 return NULL;
603
604 BT_DBG("session %p sock %p", s, sock);
605
606 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
607
608 INIT_LIST_HEAD(&s->dlcs);
609 s->state = state;
610 s->sock = sock;
611
612 s->mtu = RFCOMM_DEFAULT_MTU;
613 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
614
615 /* Do not increment module usage count for listening sessions.
616 * Otherwise we won't be able to unload the module. */
617 if (state != BT_LISTEN)
618 if (!try_module_get(THIS_MODULE)) {
619 kfree(s);
620 return NULL;
621 }
622
623 list_add(&s->list, &session_list);
624
625 return s;
626}
627
628static void rfcomm_session_del(struct rfcomm_session *s)
629{
630 int state = s->state;
631
632 BT_DBG("session %p state %ld", s, s->state);
633
634 list_del(&s->list);
635
636 if (state == BT_CONNECTED)
637 rfcomm_send_disc(s, 0);
638
639 rfcomm_session_clear_timer(s);
640 sock_release(s->sock);
641 kfree(s);
642
643 if (state != BT_LISTEN)
644 module_put(THIS_MODULE);
645}
646
647static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
648{
649 struct rfcomm_session *s;
650 struct list_head *p, *n;
651 struct bt_sock *sk;
652 list_for_each_safe(p, n, &session_list) {
653 s = list_entry(p, struct rfcomm_session, list);
654 sk = bt_sk(s->sock->sk);
655
656 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
657 !bacmp(&sk->dst, dst))
658 return s;
659 }
660 return NULL;
661}
662
663static void rfcomm_session_close(struct rfcomm_session *s, int err)
664{
665 struct rfcomm_dlc *d;
666 struct list_head *p, *n;
667
668 BT_DBG("session %p state %ld err %d", s, s->state, err);
669
670 rfcomm_session_hold(s);
671
672 s->state = BT_CLOSED;
673
674 /* Close all dlcs */
675 list_for_each_safe(p, n, &s->dlcs) {
676 d = list_entry(p, struct rfcomm_dlc, list);
677 d->state = BT_CLOSED;
678 __rfcomm_dlc_close(d, err);
679 }
680
681 rfcomm_session_clear_timer(s);
682 rfcomm_session_put(s);
683}
684
685static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
686 bdaddr_t *dst,
687 u8 sec_level,
688 int *err)
689{
690 struct rfcomm_session *s = NULL;
691 struct sockaddr_l2 addr;
692 struct socket *sock;
693 struct sock *sk;
694
695 BT_DBG("%s %s", batostr(src), batostr(dst));
696
697 *err = rfcomm_l2sock_create(&sock);
698 if (*err < 0)
699 return NULL;
700
701 bacpy(&addr.l2_bdaddr, src);
702 addr.l2_family = AF_BLUETOOTH;
703 addr.l2_psm = 0;
704 addr.l2_cid = 0;
705 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
706 if (*err < 0)
707 goto failed;
708
709 /* Set L2CAP options */
710 sk = sock->sk;
711 lock_sock(sk);
712 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
713 l2cap_pi(sk)->chan->sec_level = sec_level;
714 if (l2cap_ertm)
715 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
716 release_sock(sk);
717
718 s = rfcomm_session_add(sock, BT_BOUND);
719 if (!s) {
720 *err = -ENOMEM;
721 goto failed;
722 }
723
724 s->initiator = 1;
725
726 bacpy(&addr.l2_bdaddr, dst);
727 addr.l2_family = AF_BLUETOOTH;
728 addr.l2_psm = cpu_to_le16(RFCOMM_PSM);
729 addr.l2_cid = 0;
730 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
731 if (*err == 0 || *err == -EINPROGRESS)
732 return s;
733
734 rfcomm_session_del(s);
735 return NULL;
736
737failed:
738 sock_release(sock);
739 return NULL;
740}
741
742void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
743{
744 struct sock *sk = s->sock->sk;
745 if (src)
746 bacpy(src, &bt_sk(sk)->src);
747 if (dst)
748 bacpy(dst, &bt_sk(sk)->dst);
749}
750
751/* ---- RFCOMM frame sending ---- */
752static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
753{
754 struct socket *sock = s->sock;
755 struct kvec iv = { data, len };
756 struct msghdr msg;
757
758 BT_DBG("session %p len %d", s, len);
759
760 memset(&msg, 0, sizeof(msg));
761
762 return kernel_sendmsg(sock, &msg, &iv, 1, len);
763}
764
765static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
766{
767 struct rfcomm_cmd cmd;
768
769 BT_DBG("%p dlci %d", s, dlci);
770
771 cmd.addr = __addr(s->initiator, dlci);
772 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
773 cmd.len = __len8(0);
774 cmd.fcs = __fcs2((u8 *) &cmd);
775
776 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
777}
778
779static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
780{
781 struct rfcomm_cmd cmd;
782
783 BT_DBG("%p dlci %d", s, dlci);
784
785 cmd.addr = __addr(!s->initiator, dlci);
786 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
787 cmd.len = __len8(0);
788 cmd.fcs = __fcs2((u8 *) &cmd);
789
790 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
791}
792
793static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
794{
795 struct rfcomm_cmd cmd;
796
797 BT_DBG("%p dlci %d", s, dlci);
798
799 cmd.addr = __addr(s->initiator, dlci);
800 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
801 cmd.len = __len8(0);
802 cmd.fcs = __fcs2((u8 *) &cmd);
803
804 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
805}
806
807static int rfcomm_queue_disc(struct rfcomm_dlc *d)
808{
809 struct rfcomm_cmd *cmd;
810 struct sk_buff *skb;
811
812 BT_DBG("dlc %p dlci %d", d, d->dlci);
813
814 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
815 if (!skb)
816 return -ENOMEM;
817
818 cmd = (void *) __skb_put(skb, sizeof(*cmd));
819 cmd->addr = d->addr;
820 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
821 cmd->len = __len8(0);
822 cmd->fcs = __fcs2((u8 *) cmd);
823
824 skb_queue_tail(&d->tx_queue, skb);
825 rfcomm_schedule();
826 return 0;
827}
828
829static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
830{
831 struct rfcomm_cmd cmd;
832
833 BT_DBG("%p dlci %d", s, dlci);
834
835 cmd.addr = __addr(!s->initiator, dlci);
836 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
837 cmd.len = __len8(0);
838 cmd.fcs = __fcs2((u8 *) &cmd);
839
840 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
841}
842
843static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
844{
845 struct rfcomm_hdr *hdr;
846 struct rfcomm_mcc *mcc;
847 u8 buf[16], *ptr = buf;
848
849 BT_DBG("%p cr %d type %d", s, cr, type);
850
851 hdr = (void *) ptr; ptr += sizeof(*hdr);
852 hdr->addr = __addr(s->initiator, 0);
853 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
854 hdr->len = __len8(sizeof(*mcc) + 1);
855
856 mcc = (void *) ptr; ptr += sizeof(*mcc);
857 mcc->type = __mcc_type(cr, RFCOMM_NSC);
858 mcc->len = __len8(1);
859
860 /* Type that we didn't like */
861 *ptr = __mcc_type(cr, type); ptr++;
862
863 *ptr = __fcs(buf); ptr++;
864
865 return rfcomm_send_frame(s, buf, ptr - buf);
866}
867
868static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
869{
870 struct rfcomm_hdr *hdr;
871 struct rfcomm_mcc *mcc;
872 struct rfcomm_pn *pn;
873 u8 buf[16], *ptr = buf;
874
875 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
876
877 hdr = (void *) ptr; ptr += sizeof(*hdr);
878 hdr->addr = __addr(s->initiator, 0);
879 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
880 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
881
882 mcc = (void *) ptr; ptr += sizeof(*mcc);
883 mcc->type = __mcc_type(cr, RFCOMM_PN);
884 mcc->len = __len8(sizeof(*pn));
885
886 pn = (void *) ptr; ptr += sizeof(*pn);
887 pn->dlci = d->dlci;
888 pn->priority = d->priority;
889 pn->ack_timer = 0;
890 pn->max_retrans = 0;
891
892 if (s->cfc) {
893 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
894 pn->credits = RFCOMM_DEFAULT_CREDITS;
895 } else {
896 pn->flow_ctrl = 0;
897 pn->credits = 0;
898 }
899
900 if (cr && channel_mtu >= 0)
901 pn->mtu = cpu_to_le16(channel_mtu);
902 else
903 pn->mtu = cpu_to_le16(d->mtu);
904
905 *ptr = __fcs(buf); ptr++;
906
907 return rfcomm_send_frame(s, buf, ptr - buf);
908}
909
910int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
911 u8 bit_rate, u8 data_bits, u8 stop_bits,
912 u8 parity, u8 flow_ctrl_settings,
913 u8 xon_char, u8 xoff_char, u16 param_mask)
914{
915 struct rfcomm_hdr *hdr;
916 struct rfcomm_mcc *mcc;
917 struct rfcomm_rpn *rpn;
918 u8 buf[16], *ptr = buf;
919
920 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
921 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
922 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
923 flow_ctrl_settings, xon_char, xoff_char, param_mask);
924
925 hdr = (void *) ptr; ptr += sizeof(*hdr);
926 hdr->addr = __addr(s->initiator, 0);
927 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
928 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
929
930 mcc = (void *) ptr; ptr += sizeof(*mcc);
931 mcc->type = __mcc_type(cr, RFCOMM_RPN);
932 mcc->len = __len8(sizeof(*rpn));
933
934 rpn = (void *) ptr; ptr += sizeof(*rpn);
935 rpn->dlci = __addr(1, dlci);
936 rpn->bit_rate = bit_rate;
937 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
938 rpn->flow_ctrl = flow_ctrl_settings;
939 rpn->xon_char = xon_char;
940 rpn->xoff_char = xoff_char;
941 rpn->param_mask = cpu_to_le16(param_mask);
942
943 *ptr = __fcs(buf); ptr++;
944
945 return rfcomm_send_frame(s, buf, ptr - buf);
946}
947
948static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
949{
950 struct rfcomm_hdr *hdr;
951 struct rfcomm_mcc *mcc;
952 struct rfcomm_rls *rls;
953 u8 buf[16], *ptr = buf;
954
955 BT_DBG("%p cr %d status 0x%x", s, cr, status);
956
957 hdr = (void *) ptr; ptr += sizeof(*hdr);
958 hdr->addr = __addr(s->initiator, 0);
959 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
960 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
961
962 mcc = (void *) ptr; ptr += sizeof(*mcc);
963 mcc->type = __mcc_type(cr, RFCOMM_RLS);
964 mcc->len = __len8(sizeof(*rls));
965
966 rls = (void *) ptr; ptr += sizeof(*rls);
967 rls->dlci = __addr(1, dlci);
968 rls->status = status;
969
970 *ptr = __fcs(buf); ptr++;
971
972 return rfcomm_send_frame(s, buf, ptr - buf);
973}
974
975static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
976{
977 struct rfcomm_hdr *hdr;
978 struct rfcomm_mcc *mcc;
979 struct rfcomm_msc *msc;
980 u8 buf[16], *ptr = buf;
981
982 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
983
984 hdr = (void *) ptr; ptr += sizeof(*hdr);
985 hdr->addr = __addr(s->initiator, 0);
986 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
987 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
988
989 mcc = (void *) ptr; ptr += sizeof(*mcc);
990 mcc->type = __mcc_type(cr, RFCOMM_MSC);
991 mcc->len = __len8(sizeof(*msc));
992
993 msc = (void *) ptr; ptr += sizeof(*msc);
994 msc->dlci = __addr(1, dlci);
995 msc->v24_sig = v24_sig | 0x01;
996
997 *ptr = __fcs(buf); ptr++;
998
999 return rfcomm_send_frame(s, buf, ptr - buf);
1000}
1001
1002static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1003{
1004 struct rfcomm_hdr *hdr;
1005 struct rfcomm_mcc *mcc;
1006 u8 buf[16], *ptr = buf;
1007
1008 BT_DBG("%p cr %d", s, cr);
1009
1010 hdr = (void *) ptr; ptr += sizeof(*hdr);
1011 hdr->addr = __addr(s->initiator, 0);
1012 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1013 hdr->len = __len8(sizeof(*mcc));
1014
1015 mcc = (void *) ptr; ptr += sizeof(*mcc);
1016 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1017 mcc->len = __len8(0);
1018
1019 *ptr = __fcs(buf); ptr++;
1020
1021 return rfcomm_send_frame(s, buf, ptr - buf);
1022}
1023
1024static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1025{
1026 struct rfcomm_hdr *hdr;
1027 struct rfcomm_mcc *mcc;
1028 u8 buf[16], *ptr = buf;
1029
1030 BT_DBG("%p cr %d", s, cr);
1031
1032 hdr = (void *) ptr; ptr += sizeof(*hdr);
1033 hdr->addr = __addr(s->initiator, 0);
1034 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1035 hdr->len = __len8(sizeof(*mcc));
1036
1037 mcc = (void *) ptr; ptr += sizeof(*mcc);
1038 mcc->type = __mcc_type(cr, RFCOMM_FCON);
1039 mcc->len = __len8(0);
1040
1041 *ptr = __fcs(buf); ptr++;
1042
1043 return rfcomm_send_frame(s, buf, ptr - buf);
1044}
1045
1046static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1047{
1048 struct socket *sock = s->sock;
1049 struct kvec iv[3];
1050 struct msghdr msg;
1051 unsigned char hdr[5], crc[1];
1052
1053 if (len > 125)
1054 return -EINVAL;
1055
1056 BT_DBG("%p cr %d", s, cr);
1057
1058 hdr[0] = __addr(s->initiator, 0);
1059 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1060 hdr[2] = 0x01 | ((len + 2) << 1);
1061 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1062 hdr[4] = 0x01 | (len << 1);
1063
1064 crc[0] = __fcs(hdr);
1065
1066 iv[0].iov_base = hdr;
1067 iv[0].iov_len = 5;
1068 iv[1].iov_base = pattern;
1069 iv[1].iov_len = len;
1070 iv[2].iov_base = crc;
1071 iv[2].iov_len = 1;
1072
1073 memset(&msg, 0, sizeof(msg));
1074
1075 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1076}
1077
1078static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1079{
1080 struct rfcomm_hdr *hdr;
1081 u8 buf[16], *ptr = buf;
1082
1083 BT_DBG("%p addr %d credits %d", s, addr, credits);
1084
1085 hdr = (void *) ptr; ptr += sizeof(*hdr);
1086 hdr->addr = addr;
1087 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1088 hdr->len = __len8(0);
1089
1090 *ptr = credits; ptr++;
1091
1092 *ptr = __fcs(buf); ptr++;
1093
1094 return rfcomm_send_frame(s, buf, ptr - buf);
1095}
1096
1097static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1098{
1099 struct rfcomm_hdr *hdr;
1100 int len = skb->len;
1101 u8 *crc;
1102
1103 if (len > 127) {
1104 hdr = (void *) skb_push(skb, 4);
1105 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1106 } else {
1107 hdr = (void *) skb_push(skb, 3);
1108 hdr->len = __len8(len);
1109 }
1110 hdr->addr = addr;
1111 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1112
1113 crc = skb_put(skb, 1);
1114 *crc = __fcs((void *) hdr);
1115}
1116
1117/* ---- RFCOMM frame reception ---- */
1118static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1119{
1120 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1121
1122 if (dlci) {
1123 /* Data channel */
1124 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1125 if (!d) {
1126 rfcomm_send_dm(s, dlci);
1127 return 0;
1128 }
1129
1130 switch (d->state) {
1131 case BT_CONNECT:
1132 rfcomm_dlc_clear_timer(d);
1133
1134 rfcomm_dlc_lock(d);
1135 d->state = BT_CONNECTED;
1136 d->state_change(d, 0);
1137 rfcomm_dlc_unlock(d);
1138
1139 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1140 break;
1141
1142 case BT_DISCONN:
1143 d->state = BT_CLOSED;
1144 __rfcomm_dlc_close(d, 0);
1145
1146 if (list_empty(&s->dlcs)) {
1147 s->state = BT_DISCONN;
1148 rfcomm_send_disc(s, 0);
1149 }
1150
1151 break;
1152 }
1153 } else {
1154 /* Control channel */
1155 switch (s->state) {
1156 case BT_CONNECT:
1157 s->state = BT_CONNECTED;
1158 rfcomm_process_connect(s);
1159 break;
1160
1161 case BT_DISCONN:
1162 /* When socket is closed and we are not RFCOMM
1163 * initiator rfcomm_process_rx already calls
1164 * rfcomm_session_put() */
1165 if (s->sock->sk->sk_state != BT_CLOSED)
1166 if (list_empty(&s->dlcs))
1167 rfcomm_session_put(s);
1168 break;
1169 }
1170 }
1171 return 0;
1172}
1173
1174static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1175{
1176 int err = 0;
1177
1178 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1179
1180 if (dlci) {
1181 /* Data DLC */
1182 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1183 if (d) {
1184 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1185 err = ECONNREFUSED;
1186 else
1187 err = ECONNRESET;
1188
1189 d->state = BT_CLOSED;
1190 __rfcomm_dlc_close(d, err);
1191 }
1192 } else {
1193 if (s->state == BT_CONNECT)
1194 err = ECONNREFUSED;
1195 else
1196 err = ECONNRESET;
1197
1198 s->state = BT_CLOSED;
1199 rfcomm_session_close(s, err);
1200 }
1201 return 0;
1202}
1203
1204static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1205{
1206 int err = 0;
1207
1208 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1209
1210 if (dlci) {
1211 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1212 if (d) {
1213 rfcomm_send_ua(s, dlci);
1214
1215 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1216 err = ECONNREFUSED;
1217 else
1218 err = ECONNRESET;
1219
1220 d->state = BT_CLOSED;
1221 __rfcomm_dlc_close(d, err);
1222 } else
1223 rfcomm_send_dm(s, dlci);
1224
1225 } else {
1226 rfcomm_send_ua(s, 0);
1227
1228 if (s->state == BT_CONNECT)
1229 err = ECONNREFUSED;
1230 else
1231 err = ECONNRESET;
1232
1233 s->state = BT_CLOSED;
1234 rfcomm_session_close(s, err);
1235 }
1236
1237 return 0;
1238}
1239
1240void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1241{
1242 struct sock *sk = d->session->sock->sk;
1243 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1244
1245 BT_DBG("dlc %p", d);
1246
1247 rfcomm_send_ua(d->session, d->dlci);
1248
1249 rfcomm_dlc_clear_timer(d);
1250
1251 rfcomm_dlc_lock(d);
1252 d->state = BT_CONNECTED;
1253 d->state_change(d, 0);
1254 rfcomm_dlc_unlock(d);
1255
1256 if (d->role_switch)
1257 hci_conn_switch_role(conn->hcon, 0x00);
1258
1259 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1260}
1261
1262static void rfcomm_check_accept(struct rfcomm_dlc *d)
1263{
1264 if (rfcomm_check_security(d)) {
1265 if (d->defer_setup) {
1266 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1267 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1268
1269 rfcomm_dlc_lock(d);
1270 d->state = BT_CONNECT2;
1271 d->state_change(d, 0);
1272 rfcomm_dlc_unlock(d);
1273 } else
1274 rfcomm_dlc_accept(d);
1275 } else {
1276 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1277 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1278 }
1279}
1280
1281static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1282{
1283 struct rfcomm_dlc *d;
1284 u8 channel;
1285
1286 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1287
1288 if (!dlci) {
1289 rfcomm_send_ua(s, 0);
1290
1291 if (s->state == BT_OPEN) {
1292 s->state = BT_CONNECTED;
1293 rfcomm_process_connect(s);
1294 }
1295 return 0;
1296 }
1297
1298 /* Check if DLC exists */
1299 d = rfcomm_dlc_get(s, dlci);
1300 if (d) {
1301 if (d->state == BT_OPEN) {
1302 /* DLC was previously opened by PN request */
1303 rfcomm_check_accept(d);
1304 }
1305 return 0;
1306 }
1307
1308 /* Notify socket layer about incoming connection */
1309 channel = __srv_channel(dlci);
1310 if (rfcomm_connect_ind(s, channel, &d)) {
1311 d->dlci = dlci;
1312 d->addr = __addr(s->initiator, dlci);
1313 rfcomm_dlc_link(s, d);
1314
1315 rfcomm_check_accept(d);
1316 } else {
1317 rfcomm_send_dm(s, dlci);
1318 }
1319
1320 return 0;
1321}
1322
1323static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1324{
1325 struct rfcomm_session *s = d->session;
1326
1327 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1328 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1329
1330 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1331 pn->flow_ctrl == 0xe0) {
1332 d->cfc = RFCOMM_CFC_ENABLED;
1333 d->tx_credits = pn->credits;
1334 } else {
1335 d->cfc = RFCOMM_CFC_DISABLED;
1336 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1337 }
1338
1339 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1340 s->cfc = d->cfc;
1341
1342 d->priority = pn->priority;
1343
1344 d->mtu = __le16_to_cpu(pn->mtu);
1345
1346 if (cr && d->mtu > s->mtu)
1347 d->mtu = s->mtu;
1348
1349 return 0;
1350}
1351
1352static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1353{
1354 struct rfcomm_pn *pn = (void *) skb->data;
1355 struct rfcomm_dlc *d;
1356 u8 dlci = pn->dlci;
1357
1358 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1359
1360 if (!dlci)
1361 return 0;
1362
1363 d = rfcomm_dlc_get(s, dlci);
1364 if (d) {
1365 if (cr) {
1366 /* PN request */
1367 rfcomm_apply_pn(d, cr, pn);
1368 rfcomm_send_pn(s, 0, d);
1369 } else {
1370 /* PN response */
1371 switch (d->state) {
1372 case BT_CONFIG:
1373 rfcomm_apply_pn(d, cr, pn);
1374
1375 d->state = BT_CONNECT;
1376 rfcomm_send_sabm(s, d->dlci);
1377 break;
1378 }
1379 }
1380 } else {
1381 u8 channel = __srv_channel(dlci);
1382
1383 if (!cr)
1384 return 0;
1385
1386 /* PN request for non existing DLC.
1387 * Assume incoming connection. */
1388 if (rfcomm_connect_ind(s, channel, &d)) {
1389 d->dlci = dlci;
1390 d->addr = __addr(s->initiator, dlci);
1391 rfcomm_dlc_link(s, d);
1392
1393 rfcomm_apply_pn(d, cr, pn);
1394
1395 d->state = BT_OPEN;
1396 rfcomm_send_pn(s, 0, d);
1397 } else {
1398 rfcomm_send_dm(s, dlci);
1399 }
1400 }
1401 return 0;
1402}
1403
1404static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1405{
1406 struct rfcomm_rpn *rpn = (void *) skb->data;
1407 u8 dlci = __get_dlci(rpn->dlci);
1408
1409 u8 bit_rate = 0;
1410 u8 data_bits = 0;
1411 u8 stop_bits = 0;
1412 u8 parity = 0;
1413 u8 flow_ctrl = 0;
1414 u8 xon_char = 0;
1415 u8 xoff_char = 0;
1416 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1417
1418 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1419 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1420 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1421
1422 if (!cr)
1423 return 0;
1424
1425 if (len == 1) {
1426 /* This is a request, return default (according to ETSI TS 07.10) settings */
1427 bit_rate = RFCOMM_RPN_BR_9600;
1428 data_bits = RFCOMM_RPN_DATA_8;
1429 stop_bits = RFCOMM_RPN_STOP_1;
1430 parity = RFCOMM_RPN_PARITY_NONE;
1431 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1432 xon_char = RFCOMM_RPN_XON_CHAR;
1433 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1434 goto rpn_out;
1435 }
1436
1437 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1438 * no parity, no flow control lines, normal XON/XOFF chars */
1439
1440 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1441 bit_rate = rpn->bit_rate;
1442 if (bit_rate > RFCOMM_RPN_BR_230400) {
1443 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1444 bit_rate = RFCOMM_RPN_BR_9600;
1445 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1446 }
1447 }
1448
1449 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1450 data_bits = __get_rpn_data_bits(rpn->line_settings);
1451 if (data_bits != RFCOMM_RPN_DATA_8) {
1452 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1453 data_bits = RFCOMM_RPN_DATA_8;
1454 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1455 }
1456 }
1457
1458 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1459 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1460 if (stop_bits != RFCOMM_RPN_STOP_1) {
1461 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1462 stop_bits = RFCOMM_RPN_STOP_1;
1463 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1464 }
1465 }
1466
1467 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1468 parity = __get_rpn_parity(rpn->line_settings);
1469 if (parity != RFCOMM_RPN_PARITY_NONE) {
1470 BT_DBG("RPN parity mismatch 0x%x", parity);
1471 parity = RFCOMM_RPN_PARITY_NONE;
1472 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1473 }
1474 }
1475
1476 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1477 flow_ctrl = rpn->flow_ctrl;
1478 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1479 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1480 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1481 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1482 }
1483 }
1484
1485 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1486 xon_char = rpn->xon_char;
1487 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1488 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1489 xon_char = RFCOMM_RPN_XON_CHAR;
1490 rpn_mask ^= RFCOMM_RPN_PM_XON;
1491 }
1492 }
1493
1494 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1495 xoff_char = rpn->xoff_char;
1496 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1497 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1498 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1499 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1500 }
1501 }
1502
1503rpn_out:
1504 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1505 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1506
1507 return 0;
1508}
1509
1510static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1511{
1512 struct rfcomm_rls *rls = (void *) skb->data;
1513 u8 dlci = __get_dlci(rls->dlci);
1514
1515 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1516
1517 if (!cr)
1518 return 0;
1519
1520 /* We should probably do something with this information here. But
1521 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1522 * mandatory to recognise and respond to RLS */
1523
1524 rfcomm_send_rls(s, 0, dlci, rls->status);
1525
1526 return 0;
1527}
1528
1529static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1530{
1531 struct rfcomm_msc *msc = (void *) skb->data;
1532 struct rfcomm_dlc *d;
1533 u8 dlci = __get_dlci(msc->dlci);
1534
1535 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1536
1537 d = rfcomm_dlc_get(s, dlci);
1538 if (!d)
1539 return 0;
1540
1541 if (cr) {
1542 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1543 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1544 else
1545 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1546
1547 rfcomm_dlc_lock(d);
1548
1549 d->remote_v24_sig = msc->v24_sig;
1550
1551 if (d->modem_status)
1552 d->modem_status(d, msc->v24_sig);
1553
1554 rfcomm_dlc_unlock(d);
1555
1556 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1557
1558 d->mscex |= RFCOMM_MSCEX_RX;
1559 } else
1560 d->mscex |= RFCOMM_MSCEX_TX;
1561
1562 return 0;
1563}
1564
1565static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1566{
1567 struct rfcomm_mcc *mcc = (void *) skb->data;
1568 u8 type, cr, len;
1569
1570 cr = __test_cr(mcc->type);
1571 type = __get_mcc_type(mcc->type);
1572 len = __get_mcc_len(mcc->len);
1573
1574 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1575
1576 skb_pull(skb, 2);
1577
1578 switch (type) {
1579 case RFCOMM_PN:
1580 rfcomm_recv_pn(s, cr, skb);
1581 break;
1582
1583 case RFCOMM_RPN:
1584 rfcomm_recv_rpn(s, cr, len, skb);
1585 break;
1586
1587 case RFCOMM_RLS:
1588 rfcomm_recv_rls(s, cr, skb);
1589 break;
1590
1591 case RFCOMM_MSC:
1592 rfcomm_recv_msc(s, cr, skb);
1593 break;
1594
1595 case RFCOMM_FCOFF:
1596 if (cr) {
1597 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1598 rfcomm_send_fcoff(s, 0);
1599 }
1600 break;
1601
1602 case RFCOMM_FCON:
1603 if (cr) {
1604 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1605 rfcomm_send_fcon(s, 0);
1606 }
1607 break;
1608
1609 case RFCOMM_TEST:
1610 if (cr)
1611 rfcomm_send_test(s, 0, skb->data, skb->len);
1612 break;
1613
1614 case RFCOMM_NSC:
1615 break;
1616
1617 default:
1618 BT_ERR("Unknown control type 0x%02x", type);
1619 rfcomm_send_nsc(s, cr, type);
1620 break;
1621 }
1622 return 0;
1623}
1624
1625static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1626{
1627 struct rfcomm_dlc *d;
1628
1629 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1630
1631 d = rfcomm_dlc_get(s, dlci);
1632 if (!d) {
1633 rfcomm_send_dm(s, dlci);
1634 goto drop;
1635 }
1636
1637 if (pf && d->cfc) {
1638 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1639
1640 d->tx_credits += credits;
1641 if (d->tx_credits)
1642 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1643 }
1644
1645 if (skb->len && d->state == BT_CONNECTED) {
1646 rfcomm_dlc_lock(d);
1647 d->rx_credits--;
1648 d->data_ready(d, skb);
1649 rfcomm_dlc_unlock(d);
1650 return 0;
1651 }
1652
1653drop:
1654 kfree_skb(skb);
1655 return 0;
1656}
1657
1658static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1659{
1660 struct rfcomm_hdr *hdr = (void *) skb->data;
1661 u8 type, dlci, fcs;
1662
1663 dlci = __get_dlci(hdr->addr);
1664 type = __get_type(hdr->ctrl);
1665
1666 /* Trim FCS */
1667 skb->len--; skb->tail--;
1668 fcs = *(u8 *)skb_tail_pointer(skb);
1669
1670 if (__check_fcs(skb->data, type, fcs)) {
1671 BT_ERR("bad checksum in packet");
1672 kfree_skb(skb);
1673 return -EILSEQ;
1674 }
1675
1676 if (__test_ea(hdr->len))
1677 skb_pull(skb, 3);
1678 else
1679 skb_pull(skb, 4);
1680
1681 switch (type) {
1682 case RFCOMM_SABM:
1683 if (__test_pf(hdr->ctrl))
1684 rfcomm_recv_sabm(s, dlci);
1685 break;
1686
1687 case RFCOMM_DISC:
1688 if (__test_pf(hdr->ctrl))
1689 rfcomm_recv_disc(s, dlci);
1690 break;
1691
1692 case RFCOMM_UA:
1693 if (__test_pf(hdr->ctrl))
1694 rfcomm_recv_ua(s, dlci);
1695 break;
1696
1697 case RFCOMM_DM:
1698 rfcomm_recv_dm(s, dlci);
1699 break;
1700
1701 case RFCOMM_UIH:
1702 if (dlci)
1703 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1704
1705 rfcomm_recv_mcc(s, skb);
1706 break;
1707
1708 default:
1709 BT_ERR("Unknown packet type 0x%02x", type);
1710 break;
1711 }
1712 kfree_skb(skb);
1713 return 0;
1714}
1715
1716/* ---- Connection and data processing ---- */
1717
1718static void rfcomm_process_connect(struct rfcomm_session *s)
1719{
1720 struct rfcomm_dlc *d;
1721 struct list_head *p, *n;
1722
1723 BT_DBG("session %p state %ld", s, s->state);
1724
1725 list_for_each_safe(p, n, &s->dlcs) {
1726 d = list_entry(p, struct rfcomm_dlc, list);
1727 if (d->state == BT_CONFIG) {
1728 d->mtu = s->mtu;
1729 if (rfcomm_check_security(d)) {
1730 rfcomm_send_pn(s, 1, d);
1731 } else {
1732 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1733 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1734 }
1735 }
1736 }
1737}
1738
1739/* Send data queued for the DLC.
1740 * Return number of frames left in the queue.
1741 */
1742static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1743{
1744 struct sk_buff *skb;
1745 int err;
1746
1747 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1748 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1749
1750 /* Send pending MSC */
1751 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1752 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1753
1754 if (d->cfc) {
1755 /* CFC enabled.
1756 * Give them some credits */
1757 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1758 d->rx_credits <= (d->cfc >> 2)) {
1759 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1760 d->rx_credits = d->cfc;
1761 }
1762 } else {
1763 /* CFC disabled.
1764 * Give ourselves some credits */
1765 d->tx_credits = 5;
1766 }
1767
1768 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1769 return skb_queue_len(&d->tx_queue);
1770
1771 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1772 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1773 if (err < 0) {
1774 skb_queue_head(&d->tx_queue, skb);
1775 break;
1776 }
1777 kfree_skb(skb);
1778 d->tx_credits--;
1779 }
1780
1781 if (d->cfc && !d->tx_credits) {
1782 /* We're out of TX credits.
1783 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1784 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1785 }
1786
1787 return skb_queue_len(&d->tx_queue);
1788}
1789
1790static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1791{
1792 struct rfcomm_dlc *d;
1793 struct list_head *p, *n;
1794
1795 BT_DBG("session %p state %ld", s, s->state);
1796
1797 list_for_each_safe(p, n, &s->dlcs) {
1798 d = list_entry(p, struct rfcomm_dlc, list);
1799
1800 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1801 __rfcomm_dlc_close(d, ETIMEDOUT);
1802 continue;
1803 }
1804
1805 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1806 rfcomm_dlc_clear_timer(d);
1807 if (d->out) {
1808 rfcomm_send_pn(s, 1, d);
1809 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1810 } else {
1811 if (d->defer_setup) {
1812 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1813 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1814
1815 rfcomm_dlc_lock(d);
1816 d->state = BT_CONNECT2;
1817 d->state_change(d, 0);
1818 rfcomm_dlc_unlock(d);
1819 } else
1820 rfcomm_dlc_accept(d);
1821 }
1822 continue;
1823 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1824 rfcomm_dlc_clear_timer(d);
1825 if (!d->out)
1826 rfcomm_send_dm(s, d->dlci);
1827 else
1828 d->state = BT_CLOSED;
1829 __rfcomm_dlc_close(d, ECONNREFUSED);
1830 continue;
1831 }
1832
1833 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1834 continue;
1835
1836 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1837 continue;
1838
1839 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1840 d->mscex == RFCOMM_MSCEX_OK)
1841 rfcomm_process_tx(d);
1842 }
1843}
1844
1845static inline void rfcomm_process_rx(struct rfcomm_session *s)
1846{
1847 struct socket *sock = s->sock;
1848 struct sock *sk = sock->sk;
1849 struct sk_buff *skb;
1850
1851 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1852
1853 /* Get data directly from socket receive queue without copying it. */
1854 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1855 skb_orphan(skb);
1856 rfcomm_recv_frame(s, skb);
1857 }
1858
1859 if (sk->sk_state == BT_CLOSED) {
1860 if (!s->initiator)
1861 rfcomm_session_put(s);
1862
1863 rfcomm_session_close(s, sk->sk_err);
1864 }
1865}
1866
1867static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1868{
1869 struct socket *sock = s->sock, *nsock;
1870 int err;
1871
1872 /* Fast check for a new connection.
1873 * Avoids unnesesary socket allocations. */
1874 if (list_empty(&bt_sk(sock->sk)->accept_q))
1875 return;
1876
1877 BT_DBG("session %p", s);
1878
1879 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1880 if (err < 0)
1881 return;
1882
1883 /* Set our callbacks */
1884 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1885 nsock->sk->sk_state_change = rfcomm_l2state_change;
1886
1887 s = rfcomm_session_add(nsock, BT_OPEN);
1888 if (s) {
1889 rfcomm_session_hold(s);
1890
1891 /* We should adjust MTU on incoming sessions.
1892 * L2CAP MTU minus UIH header and FCS. */
1893 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1894 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1895
1896 rfcomm_schedule();
1897 } else
1898 sock_release(nsock);
1899}
1900
1901static inline void rfcomm_check_connection(struct rfcomm_session *s)
1902{
1903 struct sock *sk = s->sock->sk;
1904
1905 BT_DBG("%p state %ld", s, s->state);
1906
1907 switch (sk->sk_state) {
1908 case BT_CONNECTED:
1909 s->state = BT_CONNECT;
1910
1911 /* We can adjust MTU on outgoing sessions.
1912 * L2CAP MTU minus UIH header and FCS. */
1913 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1914
1915 rfcomm_send_sabm(s, 0);
1916 break;
1917
1918 case BT_CLOSED:
1919 s->state = BT_CLOSED;
1920 rfcomm_session_close(s, sk->sk_err);
1921 break;
1922 }
1923}
1924
1925static inline void rfcomm_process_sessions(void)
1926{
1927 struct list_head *p, *n;
1928
1929 rfcomm_lock();
1930
1931 list_for_each_safe(p, n, &session_list) {
1932 struct rfcomm_session *s;
1933 s = list_entry(p, struct rfcomm_session, list);
1934
1935 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1936 s->state = BT_DISCONN;
1937 rfcomm_send_disc(s, 0);
1938 rfcomm_session_put(s);
1939 continue;
1940 }
1941
1942 if (s->state == BT_LISTEN) {
1943 rfcomm_accept_connection(s);
1944 continue;
1945 }
1946
1947 rfcomm_session_hold(s);
1948
1949 switch (s->state) {
1950 case BT_BOUND:
1951 rfcomm_check_connection(s);
1952 break;
1953
1954 default:
1955 rfcomm_process_rx(s);
1956 break;
1957 }
1958
1959 rfcomm_process_dlcs(s);
1960
1961 rfcomm_session_put(s);
1962 }
1963
1964 rfcomm_unlock();
1965}
1966
1967static int rfcomm_add_listener(bdaddr_t *ba)
1968{
1969 struct sockaddr_l2 addr;
1970 struct socket *sock;
1971 struct sock *sk;
1972 struct rfcomm_session *s;
1973 int err = 0;
1974
1975 /* Create socket */
1976 err = rfcomm_l2sock_create(&sock);
1977 if (err < 0) {
1978 BT_ERR("Create socket failed %d", err);
1979 return err;
1980 }
1981
1982 /* Bind socket */
1983 bacpy(&addr.l2_bdaddr, ba);
1984 addr.l2_family = AF_BLUETOOTH;
1985 addr.l2_psm = cpu_to_le16(RFCOMM_PSM);
1986 addr.l2_cid = 0;
1987 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1988 if (err < 0) {
1989 BT_ERR("Bind failed %d", err);
1990 goto failed;
1991 }
1992
1993 /* Set L2CAP options */
1994 sk = sock->sk;
1995 lock_sock(sk);
1996 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
1997 release_sock(sk);
1998
1999 /* Start listening on the socket */
2000 err = kernel_listen(sock, 10);
2001 if (err) {
2002 BT_ERR("Listen failed %d", err);
2003 goto failed;
2004 }
2005
2006 /* Add listening session */
2007 s = rfcomm_session_add(sock, BT_LISTEN);
2008 if (!s)
2009 goto failed;
2010
2011 rfcomm_session_hold(s);
2012 return 0;
2013failed:
2014 sock_release(sock);
2015 return err;
2016}
2017
2018static void rfcomm_kill_listener(void)
2019{
2020 struct rfcomm_session *s;
2021 struct list_head *p, *n;
2022
2023 BT_DBG("");
2024
2025 list_for_each_safe(p, n, &session_list) {
2026 s = list_entry(p, struct rfcomm_session, list);
2027 rfcomm_session_del(s);
2028 }
2029}
2030
2031static int rfcomm_run(void *unused)
2032{
2033 BT_DBG("");
2034
2035 set_user_nice(current, -10);
2036
2037 rfcomm_add_listener(BDADDR_ANY);
2038
2039 while (1) {
2040 set_current_state(TASK_INTERRUPTIBLE);
2041
2042 if (kthread_should_stop())
2043 break;
2044
2045 /* Process stuff */
2046 rfcomm_process_sessions();
2047
2048 schedule();
2049 }
2050 __set_current_state(TASK_RUNNING);
2051
2052 rfcomm_kill_listener();
2053
2054 return 0;
2055}
2056
2057static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2058{
2059 struct rfcomm_session *s;
2060 struct rfcomm_dlc *d;
2061 struct list_head *p, *n;
2062
2063 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2064
2065 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2066 if (!s)
2067 return;
2068
2069 rfcomm_session_hold(s);
2070
2071 list_for_each_safe(p, n, &s->dlcs) {
2072 d = list_entry(p, struct rfcomm_dlc, list);
2073
2074 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2075 rfcomm_dlc_clear_timer(d);
2076 if (status || encrypt == 0x00) {
2077 __rfcomm_dlc_close(d, ECONNREFUSED);
2078 continue;
2079 }
2080 }
2081
2082 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2083 if (d->sec_level == BT_SECURITY_MEDIUM) {
2084 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2085 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2086 continue;
2087 } else if (d->sec_level == BT_SECURITY_HIGH) {
2088 __rfcomm_dlc_close(d, ECONNREFUSED);
2089 continue;
2090 }
2091 }
2092
2093 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2094 continue;
2095
2096 if (!status && hci_conn_check_secure(conn, d->sec_level))
2097 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2098 else
2099 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2100 }
2101
2102 rfcomm_session_put(s);
2103
2104 rfcomm_schedule();
2105}
2106
2107static struct hci_cb rfcomm_cb = {
2108 .name = "RFCOMM",
2109 .security_cfm = rfcomm_security_cfm
2110};
2111
2112static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2113{
2114 struct rfcomm_session *s;
2115 struct list_head *pp, *p;
2116
2117 rfcomm_lock();
2118
2119 list_for_each(p, &session_list) {
2120 s = list_entry(p, struct rfcomm_session, list);
2121 list_for_each(pp, &s->dlcs) {
2122 struct sock *sk = s->sock->sk;
2123 struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
2124
2125 seq_printf(f, "%s %s %ld %d %d %d %d\n",
2126 batostr(&bt_sk(sk)->src),
2127 batostr(&bt_sk(sk)->dst),
2128 d->state, d->dlci, d->mtu,
2129 d->rx_credits, d->tx_credits);
2130 }
2131 }
2132
2133 rfcomm_unlock();
2134
2135 return 0;
2136}
2137
2138static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2139{
2140 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2141}
2142
2143static const struct file_operations rfcomm_dlc_debugfs_fops = {
2144 .open = rfcomm_dlc_debugfs_open,
2145 .read = seq_read,
2146 .llseek = seq_lseek,
2147 .release = single_release,
2148};
2149
2150static struct dentry *rfcomm_dlc_debugfs;
2151
2152/* ---- Initialization ---- */
2153static int __init rfcomm_init(void)
2154{
2155 int err;
2156
2157 hci_register_cb(&rfcomm_cb);
2158
2159 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2160 if (IS_ERR(rfcomm_thread)) {
2161 err = PTR_ERR(rfcomm_thread);
2162 goto unregister;
2163 }
2164
2165 if (bt_debugfs) {
2166 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2167 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2168 if (!rfcomm_dlc_debugfs)
2169 BT_ERR("Failed to create RFCOMM debug file");
2170 }
2171
2172 err = rfcomm_init_ttys();
2173 if (err < 0)
2174 goto stop;
2175
2176 err = rfcomm_init_sockets();
2177 if (err < 0)
2178 goto cleanup;
2179
2180 BT_INFO("RFCOMM ver %s", VERSION);
2181
2182 return 0;
2183
2184cleanup:
2185 rfcomm_cleanup_ttys();
2186
2187stop:
2188 kthread_stop(rfcomm_thread);
2189
2190unregister:
2191 hci_unregister_cb(&rfcomm_cb);
2192
2193 return err;
2194}
2195
2196static void __exit rfcomm_exit(void)
2197{
2198 debugfs_remove(rfcomm_dlc_debugfs);
2199
2200 hci_unregister_cb(&rfcomm_cb);
2201
2202 kthread_stop(rfcomm_thread);
2203
2204 rfcomm_cleanup_ttys();
2205
2206 rfcomm_cleanup_sockets();
2207}
2208
2209module_init(rfcomm_init);
2210module_exit(rfcomm_exit);
2211
2212module_param(disable_cfc, bool, 0644);
2213MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2214
2215module_param(channel_mtu, int, 0644);
2216MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2217
2218module_param(l2cap_mtu, uint, 0644);
2219MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2220
2221module_param(l2cap_ertm, bool, 0644);
2222MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2223
2224MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2225MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2226MODULE_VERSION(VERSION);
2227MODULE_LICENSE("GPL");
2228MODULE_ALIAS("bt-proto-3");
1/*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22*/
23
24/*
25 * Bluetooth RFCOMM core.
26 */
27
28#include <linux/module.h>
29#include <linux/debugfs.h>
30#include <linux/kthread.h>
31#include <asm/unaligned.h>
32
33#include <net/bluetooth/bluetooth.h>
34#include <net/bluetooth/hci_core.h>
35#include <net/bluetooth/l2cap.h>
36#include <net/bluetooth/rfcomm.h>
37
38#define VERSION "1.11"
39
40static bool disable_cfc;
41static bool l2cap_ertm;
42static int channel_mtu = -1;
43
44static struct task_struct *rfcomm_thread;
45
46static DEFINE_MUTEX(rfcomm_mutex);
47#define rfcomm_lock() mutex_lock(&rfcomm_mutex)
48#define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
49
50
51static LIST_HEAD(session_list);
52
53static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
54static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
55static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
56static int rfcomm_queue_disc(struct rfcomm_dlc *d);
57static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
58static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
59static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
60static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
61static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
62static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
63
64static void rfcomm_process_connect(struct rfcomm_session *s);
65
66static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
67 bdaddr_t *dst,
68 u8 sec_level,
69 int *err);
70static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
71static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
72
73/* ---- RFCOMM frame parsing macros ---- */
74#define __get_dlci(b) ((b & 0xfc) >> 2)
75#define __get_type(b) ((b & 0xef))
76
77#define __test_ea(b) ((b & 0x01))
78#define __test_cr(b) (!!(b & 0x02))
79#define __test_pf(b) (!!(b & 0x10))
80
81#define __session_dir(s) ((s)->initiator ? 0x00 : 0x01)
82
83#define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
84#define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
85#define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
86#define __srv_channel(dlci) (dlci >> 1)
87
88#define __len8(len) (((len) << 1) | 1)
89#define __len16(len) ((len) << 1)
90
91/* MCC macros */
92#define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
93#define __get_mcc_type(b) ((b & 0xfc) >> 2)
94#define __get_mcc_len(b) ((b & 0xfe) >> 1)
95
96/* RPN macros */
97#define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
98#define __get_rpn_data_bits(line) ((line) & 0x3)
99#define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
100#define __get_rpn_parity(line) (((line) >> 3) & 0x7)
101
102static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq);
103
104static void rfcomm_schedule(void)
105{
106 wake_up_all(&rfcomm_wq);
107}
108
109/* ---- RFCOMM FCS computation ---- */
110
111/* reversed, 8-bit, poly=0x07 */
112static unsigned char rfcomm_crc_table[256] = {
113 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
114 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
115 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
116 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
117
118 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
119 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
120 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
121 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
122
123 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
124 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
125 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
126 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
127
128 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
129 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
130 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
131 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
132
133 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
134 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
135 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
136 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
137
138 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
139 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
140 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
141 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
142
143 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
144 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
145 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
146 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
147
148 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
149 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
150 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
151 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
152};
153
154/* CRC on 2 bytes */
155#define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
156
157/* FCS on 2 bytes */
158static inline u8 __fcs(u8 *data)
159{
160 return 0xff - __crc(data);
161}
162
163/* FCS on 3 bytes */
164static inline u8 __fcs2(u8 *data)
165{
166 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
167}
168
169/* Check FCS */
170static inline int __check_fcs(u8 *data, int type, u8 fcs)
171{
172 u8 f = __crc(data);
173
174 if (type != RFCOMM_UIH)
175 f = rfcomm_crc_table[f ^ data[2]];
176
177 return rfcomm_crc_table[f ^ fcs] != 0xcf;
178}
179
180/* ---- L2CAP callbacks ---- */
181static void rfcomm_l2state_change(struct sock *sk)
182{
183 BT_DBG("%p state %d", sk, sk->sk_state);
184 rfcomm_schedule();
185}
186
187static void rfcomm_l2data_ready(struct sock *sk)
188{
189 BT_DBG("%p", sk);
190 rfcomm_schedule();
191}
192
193static int rfcomm_l2sock_create(struct socket **sock)
194{
195 int err;
196
197 BT_DBG("");
198
199 err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
200 if (!err) {
201 struct sock *sk = (*sock)->sk;
202 sk->sk_data_ready = rfcomm_l2data_ready;
203 sk->sk_state_change = rfcomm_l2state_change;
204 }
205 return err;
206}
207
208static int rfcomm_check_security(struct rfcomm_dlc *d)
209{
210 struct sock *sk = d->session->sock->sk;
211 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
212
213 __u8 auth_type;
214
215 switch (d->sec_level) {
216 case BT_SECURITY_HIGH:
217 case BT_SECURITY_FIPS:
218 auth_type = HCI_AT_GENERAL_BONDING_MITM;
219 break;
220 case BT_SECURITY_MEDIUM:
221 auth_type = HCI_AT_GENERAL_BONDING;
222 break;
223 default:
224 auth_type = HCI_AT_NO_BONDING;
225 break;
226 }
227
228 return hci_conn_security(conn->hcon, d->sec_level, auth_type,
229 d->out);
230}
231
232static void rfcomm_session_timeout(struct timer_list *t)
233{
234 struct rfcomm_session *s = from_timer(s, t, timer);
235
236 BT_DBG("session %p state %ld", s, s->state);
237
238 set_bit(RFCOMM_TIMED_OUT, &s->flags);
239 rfcomm_schedule();
240}
241
242static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
243{
244 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
245
246 mod_timer(&s->timer, jiffies + timeout);
247}
248
249static void rfcomm_session_clear_timer(struct rfcomm_session *s)
250{
251 BT_DBG("session %p state %ld", s, s->state);
252
253 del_timer_sync(&s->timer);
254}
255
256/* ---- RFCOMM DLCs ---- */
257static void rfcomm_dlc_timeout(struct timer_list *t)
258{
259 struct rfcomm_dlc *d = from_timer(d, t, timer);
260
261 BT_DBG("dlc %p state %ld", d, d->state);
262
263 set_bit(RFCOMM_TIMED_OUT, &d->flags);
264 rfcomm_dlc_put(d);
265 rfcomm_schedule();
266}
267
268static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
269{
270 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
271
272 if (!mod_timer(&d->timer, jiffies + timeout))
273 rfcomm_dlc_hold(d);
274}
275
276static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
277{
278 BT_DBG("dlc %p state %ld", d, d->state);
279
280 if (del_timer(&d->timer))
281 rfcomm_dlc_put(d);
282}
283
284static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
285{
286 BT_DBG("%p", d);
287
288 d->state = BT_OPEN;
289 d->flags = 0;
290 d->mscex = 0;
291 d->sec_level = BT_SECURITY_LOW;
292 d->mtu = RFCOMM_DEFAULT_MTU;
293 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
294
295 d->cfc = RFCOMM_CFC_DISABLED;
296 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
297}
298
299struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
300{
301 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
302
303 if (!d)
304 return NULL;
305
306 timer_setup(&d->timer, rfcomm_dlc_timeout, 0);
307
308 skb_queue_head_init(&d->tx_queue);
309 mutex_init(&d->lock);
310 refcount_set(&d->refcnt, 1);
311
312 rfcomm_dlc_clear_state(d);
313
314 BT_DBG("%p", d);
315
316 return d;
317}
318
319void rfcomm_dlc_free(struct rfcomm_dlc *d)
320{
321 BT_DBG("%p", d);
322
323 skb_queue_purge(&d->tx_queue);
324 kfree(d);
325}
326
327static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
328{
329 BT_DBG("dlc %p session %p", d, s);
330
331 rfcomm_session_clear_timer(s);
332 rfcomm_dlc_hold(d);
333 list_add(&d->list, &s->dlcs);
334 d->session = s;
335}
336
337static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
338{
339 struct rfcomm_session *s = d->session;
340
341 BT_DBG("dlc %p refcnt %d session %p", d, refcount_read(&d->refcnt), s);
342
343 list_del(&d->list);
344 d->session = NULL;
345 rfcomm_dlc_put(d);
346
347 if (list_empty(&s->dlcs))
348 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
349}
350
351static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
352{
353 struct rfcomm_dlc *d;
354
355 list_for_each_entry(d, &s->dlcs, list)
356 if (d->dlci == dlci)
357 return d;
358
359 return NULL;
360}
361
362static int rfcomm_check_channel(u8 channel)
363{
364 return channel < 1 || channel > 30;
365}
366
367static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
368{
369 struct rfcomm_session *s;
370 int err = 0;
371 u8 dlci;
372
373 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
374 d, d->state, src, dst, channel);
375
376 if (rfcomm_check_channel(channel))
377 return -EINVAL;
378
379 if (d->state != BT_OPEN && d->state != BT_CLOSED)
380 return 0;
381
382 s = rfcomm_session_get(src, dst);
383 if (!s) {
384 s = rfcomm_session_create(src, dst, d->sec_level, &err);
385 if (!s)
386 return err;
387 }
388
389 dlci = __dlci(__session_dir(s), channel);
390
391 /* Check if DLCI already exists */
392 if (rfcomm_dlc_get(s, dlci))
393 return -EBUSY;
394
395 rfcomm_dlc_clear_state(d);
396
397 d->dlci = dlci;
398 d->addr = __addr(s->initiator, dlci);
399 d->priority = 7;
400
401 d->state = BT_CONFIG;
402 rfcomm_dlc_link(s, d);
403
404 d->out = 1;
405
406 d->mtu = s->mtu;
407 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
408
409 if (s->state == BT_CONNECTED) {
410 if (rfcomm_check_security(d))
411 rfcomm_send_pn(s, 1, d);
412 else
413 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
414 }
415
416 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
417
418 return 0;
419}
420
421int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
422{
423 int r;
424
425 rfcomm_lock();
426
427 r = __rfcomm_dlc_open(d, src, dst, channel);
428
429 rfcomm_unlock();
430 return r;
431}
432
433static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d)
434{
435 struct rfcomm_session *s = d->session;
436
437 d->state = BT_DISCONN;
438 if (skb_queue_empty(&d->tx_queue)) {
439 rfcomm_send_disc(s, d->dlci);
440 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
441 } else {
442 rfcomm_queue_disc(d);
443 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
444 }
445}
446
447static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
448{
449 struct rfcomm_session *s = d->session;
450 if (!s)
451 return 0;
452
453 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
454 d, d->state, d->dlci, err, s);
455
456 switch (d->state) {
457 case BT_CONNECT:
458 case BT_CONFIG:
459 case BT_OPEN:
460 case BT_CONNECT2:
461 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
462 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
463 rfcomm_schedule();
464 return 0;
465 }
466 }
467
468 switch (d->state) {
469 case BT_CONNECT:
470 case BT_CONNECTED:
471 __rfcomm_dlc_disconn(d);
472 break;
473
474 case BT_CONFIG:
475 if (s->state != BT_BOUND) {
476 __rfcomm_dlc_disconn(d);
477 break;
478 }
479 /* if closing a dlc in a session that hasn't been started,
480 * just close and unlink the dlc
481 */
482 fallthrough;
483
484 default:
485 rfcomm_dlc_clear_timer(d);
486
487 rfcomm_dlc_lock(d);
488 d->state = BT_CLOSED;
489 d->state_change(d, err);
490 rfcomm_dlc_unlock(d);
491
492 skb_queue_purge(&d->tx_queue);
493 rfcomm_dlc_unlink(d);
494 }
495
496 return 0;
497}
498
499int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
500{
501 int r = 0;
502 struct rfcomm_dlc *d_list;
503 struct rfcomm_session *s, *s_list;
504
505 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
506
507 rfcomm_lock();
508
509 s = d->session;
510 if (!s)
511 goto no_session;
512
513 /* after waiting on the mutex check the session still exists
514 * then check the dlc still exists
515 */
516 list_for_each_entry(s_list, &session_list, list) {
517 if (s_list == s) {
518 list_for_each_entry(d_list, &s->dlcs, list) {
519 if (d_list == d) {
520 r = __rfcomm_dlc_close(d, err);
521 break;
522 }
523 }
524 break;
525 }
526 }
527
528no_session:
529 rfcomm_unlock();
530 return r;
531}
532
533struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
534{
535 struct rfcomm_session *s;
536 struct rfcomm_dlc *dlc = NULL;
537 u8 dlci;
538
539 if (rfcomm_check_channel(channel))
540 return ERR_PTR(-EINVAL);
541
542 rfcomm_lock();
543 s = rfcomm_session_get(src, dst);
544 if (s) {
545 dlci = __dlci(__session_dir(s), channel);
546 dlc = rfcomm_dlc_get(s, dlci);
547 }
548 rfcomm_unlock();
549 return dlc;
550}
551
552int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
553{
554 int len = skb->len;
555
556 if (d->state != BT_CONNECTED)
557 return -ENOTCONN;
558
559 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
560
561 if (len > d->mtu)
562 return -EINVAL;
563
564 rfcomm_make_uih(skb, d->addr);
565 skb_queue_tail(&d->tx_queue, skb);
566
567 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
568 rfcomm_schedule();
569 return len;
570}
571
572void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb)
573{
574 int len = skb->len;
575
576 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
577
578 rfcomm_make_uih(skb, d->addr);
579 skb_queue_tail(&d->tx_queue, skb);
580
581 if (d->state == BT_CONNECTED &&
582 !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
583 rfcomm_schedule();
584}
585
586void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
587{
588 BT_DBG("dlc %p state %ld", d, d->state);
589
590 if (!d->cfc) {
591 d->v24_sig |= RFCOMM_V24_FC;
592 set_bit(RFCOMM_MSC_PENDING, &d->flags);
593 }
594 rfcomm_schedule();
595}
596
597void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
598{
599 BT_DBG("dlc %p state %ld", d, d->state);
600
601 if (!d->cfc) {
602 d->v24_sig &= ~RFCOMM_V24_FC;
603 set_bit(RFCOMM_MSC_PENDING, &d->flags);
604 }
605 rfcomm_schedule();
606}
607
608/*
609 Set/get modem status functions use _local_ status i.e. what we report
610 to the other side.
611 Remote status is provided by dlc->modem_status() callback.
612 */
613int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
614{
615 BT_DBG("dlc %p state %ld v24_sig 0x%x",
616 d, d->state, v24_sig);
617
618 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
619 v24_sig |= RFCOMM_V24_FC;
620 else
621 v24_sig &= ~RFCOMM_V24_FC;
622
623 d->v24_sig = v24_sig;
624
625 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
626 rfcomm_schedule();
627
628 return 0;
629}
630
631int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
632{
633 BT_DBG("dlc %p state %ld v24_sig 0x%x",
634 d, d->state, d->v24_sig);
635
636 *v24_sig = d->v24_sig;
637 return 0;
638}
639
640/* ---- RFCOMM sessions ---- */
641static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
642{
643 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
644
645 if (!s)
646 return NULL;
647
648 BT_DBG("session %p sock %p", s, sock);
649
650 timer_setup(&s->timer, rfcomm_session_timeout, 0);
651
652 INIT_LIST_HEAD(&s->dlcs);
653 s->state = state;
654 s->sock = sock;
655
656 s->mtu = RFCOMM_DEFAULT_MTU;
657 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
658
659 /* Do not increment module usage count for listening sessions.
660 * Otherwise we won't be able to unload the module. */
661 if (state != BT_LISTEN)
662 if (!try_module_get(THIS_MODULE)) {
663 kfree(s);
664 return NULL;
665 }
666
667 list_add(&s->list, &session_list);
668
669 return s;
670}
671
672static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
673{
674 int state = s->state;
675
676 BT_DBG("session %p state %ld", s, s->state);
677
678 list_del(&s->list);
679
680 rfcomm_session_clear_timer(s);
681 sock_release(s->sock);
682 kfree(s);
683
684 if (state != BT_LISTEN)
685 module_put(THIS_MODULE);
686
687 return NULL;
688}
689
690static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
691{
692 struct rfcomm_session *s, *n;
693 struct l2cap_chan *chan;
694 list_for_each_entry_safe(s, n, &session_list, list) {
695 chan = l2cap_pi(s->sock->sk)->chan;
696
697 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) &&
698 !bacmp(&chan->dst, dst))
699 return s;
700 }
701 return NULL;
702}
703
704static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
705 int err)
706{
707 struct rfcomm_dlc *d, *n;
708
709 s->state = BT_CLOSED;
710
711 BT_DBG("session %p state %ld err %d", s, s->state, err);
712
713 /* Close all dlcs */
714 list_for_each_entry_safe(d, n, &s->dlcs, list) {
715 d->state = BT_CLOSED;
716 __rfcomm_dlc_close(d, err);
717 }
718
719 rfcomm_session_clear_timer(s);
720 return rfcomm_session_del(s);
721}
722
723static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
724 bdaddr_t *dst,
725 u8 sec_level,
726 int *err)
727{
728 struct rfcomm_session *s = NULL;
729 struct sockaddr_l2 addr;
730 struct socket *sock;
731 struct sock *sk;
732
733 BT_DBG("%pMR -> %pMR", src, dst);
734
735 *err = rfcomm_l2sock_create(&sock);
736 if (*err < 0)
737 return NULL;
738
739 bacpy(&addr.l2_bdaddr, src);
740 addr.l2_family = AF_BLUETOOTH;
741 addr.l2_psm = 0;
742 addr.l2_cid = 0;
743 addr.l2_bdaddr_type = BDADDR_BREDR;
744 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
745 if (*err < 0)
746 goto failed;
747
748 /* Set L2CAP options */
749 sk = sock->sk;
750 lock_sock(sk);
751 /* Set MTU to 0 so L2CAP can auto select the MTU */
752 l2cap_pi(sk)->chan->imtu = 0;
753 l2cap_pi(sk)->chan->sec_level = sec_level;
754 if (l2cap_ertm)
755 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
756 release_sock(sk);
757
758 s = rfcomm_session_add(sock, BT_BOUND);
759 if (!s) {
760 *err = -ENOMEM;
761 goto failed;
762 }
763
764 s->initiator = 1;
765
766 bacpy(&addr.l2_bdaddr, dst);
767 addr.l2_family = AF_BLUETOOTH;
768 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM);
769 addr.l2_cid = 0;
770 addr.l2_bdaddr_type = BDADDR_BREDR;
771 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
772 if (*err == 0 || *err == -EINPROGRESS)
773 return s;
774
775 return rfcomm_session_del(s);
776
777failed:
778 sock_release(sock);
779 return NULL;
780}
781
782void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
783{
784 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
785 if (src)
786 bacpy(src, &chan->src);
787 if (dst)
788 bacpy(dst, &chan->dst);
789}
790
791/* ---- RFCOMM frame sending ---- */
792static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
793{
794 struct kvec iv = { data, len };
795 struct msghdr msg;
796
797 BT_DBG("session %p len %d", s, len);
798
799 memset(&msg, 0, sizeof(msg));
800
801 return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
802}
803
804static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
805{
806 BT_DBG("%p cmd %u", s, cmd->ctrl);
807
808 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
809}
810
811static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
812{
813 struct rfcomm_cmd cmd;
814
815 BT_DBG("%p dlci %d", s, dlci);
816
817 cmd.addr = __addr(s->initiator, dlci);
818 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
819 cmd.len = __len8(0);
820 cmd.fcs = __fcs2((u8 *) &cmd);
821
822 return rfcomm_send_cmd(s, &cmd);
823}
824
825static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
826{
827 struct rfcomm_cmd cmd;
828
829 BT_DBG("%p dlci %d", s, dlci);
830
831 cmd.addr = __addr(!s->initiator, dlci);
832 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
833 cmd.len = __len8(0);
834 cmd.fcs = __fcs2((u8 *) &cmd);
835
836 return rfcomm_send_cmd(s, &cmd);
837}
838
839static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
840{
841 struct rfcomm_cmd cmd;
842
843 BT_DBG("%p dlci %d", s, dlci);
844
845 cmd.addr = __addr(s->initiator, dlci);
846 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
847 cmd.len = __len8(0);
848 cmd.fcs = __fcs2((u8 *) &cmd);
849
850 return rfcomm_send_cmd(s, &cmd);
851}
852
853static int rfcomm_queue_disc(struct rfcomm_dlc *d)
854{
855 struct rfcomm_cmd *cmd;
856 struct sk_buff *skb;
857
858 BT_DBG("dlc %p dlci %d", d, d->dlci);
859
860 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
861 if (!skb)
862 return -ENOMEM;
863
864 cmd = __skb_put(skb, sizeof(*cmd));
865 cmd->addr = d->addr;
866 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
867 cmd->len = __len8(0);
868 cmd->fcs = __fcs2((u8 *) cmd);
869
870 skb_queue_tail(&d->tx_queue, skb);
871 rfcomm_schedule();
872 return 0;
873}
874
875static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
876{
877 struct rfcomm_cmd cmd;
878
879 BT_DBG("%p dlci %d", s, dlci);
880
881 cmd.addr = __addr(!s->initiator, dlci);
882 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
883 cmd.len = __len8(0);
884 cmd.fcs = __fcs2((u8 *) &cmd);
885
886 return rfcomm_send_cmd(s, &cmd);
887}
888
889static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
890{
891 struct rfcomm_hdr *hdr;
892 struct rfcomm_mcc *mcc;
893 u8 buf[16], *ptr = buf;
894
895 BT_DBG("%p cr %d type %d", s, cr, type);
896
897 hdr = (void *) ptr; ptr += sizeof(*hdr);
898 hdr->addr = __addr(s->initiator, 0);
899 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
900 hdr->len = __len8(sizeof(*mcc) + 1);
901
902 mcc = (void *) ptr; ptr += sizeof(*mcc);
903 mcc->type = __mcc_type(0, RFCOMM_NSC);
904 mcc->len = __len8(1);
905
906 /* Type that we didn't like */
907 *ptr = __mcc_type(cr, type); ptr++;
908
909 *ptr = __fcs(buf); ptr++;
910
911 return rfcomm_send_frame(s, buf, ptr - buf);
912}
913
914static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
915{
916 struct rfcomm_hdr *hdr;
917 struct rfcomm_mcc *mcc;
918 struct rfcomm_pn *pn;
919 u8 buf[16], *ptr = buf;
920
921 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
922
923 hdr = (void *) ptr; ptr += sizeof(*hdr);
924 hdr->addr = __addr(s->initiator, 0);
925 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
926 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
927
928 mcc = (void *) ptr; ptr += sizeof(*mcc);
929 mcc->type = __mcc_type(cr, RFCOMM_PN);
930 mcc->len = __len8(sizeof(*pn));
931
932 pn = (void *) ptr; ptr += sizeof(*pn);
933 pn->dlci = d->dlci;
934 pn->priority = d->priority;
935 pn->ack_timer = 0;
936 pn->max_retrans = 0;
937
938 if (s->cfc) {
939 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
940 pn->credits = RFCOMM_DEFAULT_CREDITS;
941 } else {
942 pn->flow_ctrl = 0;
943 pn->credits = 0;
944 }
945
946 if (cr && channel_mtu >= 0)
947 pn->mtu = cpu_to_le16(channel_mtu);
948 else
949 pn->mtu = cpu_to_le16(d->mtu);
950
951 *ptr = __fcs(buf); ptr++;
952
953 return rfcomm_send_frame(s, buf, ptr - buf);
954}
955
956int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
957 u8 bit_rate, u8 data_bits, u8 stop_bits,
958 u8 parity, u8 flow_ctrl_settings,
959 u8 xon_char, u8 xoff_char, u16 param_mask)
960{
961 struct rfcomm_hdr *hdr;
962 struct rfcomm_mcc *mcc;
963 struct rfcomm_rpn *rpn;
964 u8 buf[16], *ptr = buf;
965
966 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
967 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
968 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
969 flow_ctrl_settings, xon_char, xoff_char, param_mask);
970
971 hdr = (void *) ptr; ptr += sizeof(*hdr);
972 hdr->addr = __addr(s->initiator, 0);
973 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
974 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
975
976 mcc = (void *) ptr; ptr += sizeof(*mcc);
977 mcc->type = __mcc_type(cr, RFCOMM_RPN);
978 mcc->len = __len8(sizeof(*rpn));
979
980 rpn = (void *) ptr; ptr += sizeof(*rpn);
981 rpn->dlci = __addr(1, dlci);
982 rpn->bit_rate = bit_rate;
983 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
984 rpn->flow_ctrl = flow_ctrl_settings;
985 rpn->xon_char = xon_char;
986 rpn->xoff_char = xoff_char;
987 rpn->param_mask = cpu_to_le16(param_mask);
988
989 *ptr = __fcs(buf); ptr++;
990
991 return rfcomm_send_frame(s, buf, ptr - buf);
992}
993
994static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
995{
996 struct rfcomm_hdr *hdr;
997 struct rfcomm_mcc *mcc;
998 struct rfcomm_rls *rls;
999 u8 buf[16], *ptr = buf;
1000
1001 BT_DBG("%p cr %d status 0x%x", s, cr, status);
1002
1003 hdr = (void *) ptr; ptr += sizeof(*hdr);
1004 hdr->addr = __addr(s->initiator, 0);
1005 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1006 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
1007
1008 mcc = (void *) ptr; ptr += sizeof(*mcc);
1009 mcc->type = __mcc_type(cr, RFCOMM_RLS);
1010 mcc->len = __len8(sizeof(*rls));
1011
1012 rls = (void *) ptr; ptr += sizeof(*rls);
1013 rls->dlci = __addr(1, dlci);
1014 rls->status = status;
1015
1016 *ptr = __fcs(buf); ptr++;
1017
1018 return rfcomm_send_frame(s, buf, ptr - buf);
1019}
1020
1021static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
1022{
1023 struct rfcomm_hdr *hdr;
1024 struct rfcomm_mcc *mcc;
1025 struct rfcomm_msc *msc;
1026 u8 buf[16], *ptr = buf;
1027
1028 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
1029
1030 hdr = (void *) ptr; ptr += sizeof(*hdr);
1031 hdr->addr = __addr(s->initiator, 0);
1032 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1033 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
1034
1035 mcc = (void *) ptr; ptr += sizeof(*mcc);
1036 mcc->type = __mcc_type(cr, RFCOMM_MSC);
1037 mcc->len = __len8(sizeof(*msc));
1038
1039 msc = (void *) ptr; ptr += sizeof(*msc);
1040 msc->dlci = __addr(1, dlci);
1041 msc->v24_sig = v24_sig | 0x01;
1042
1043 *ptr = __fcs(buf); ptr++;
1044
1045 return rfcomm_send_frame(s, buf, ptr - buf);
1046}
1047
1048static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1049{
1050 struct rfcomm_hdr *hdr;
1051 struct rfcomm_mcc *mcc;
1052 u8 buf[16], *ptr = buf;
1053
1054 BT_DBG("%p cr %d", s, cr);
1055
1056 hdr = (void *) ptr; ptr += sizeof(*hdr);
1057 hdr->addr = __addr(s->initiator, 0);
1058 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1059 hdr->len = __len8(sizeof(*mcc));
1060
1061 mcc = (void *) ptr; ptr += sizeof(*mcc);
1062 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1063 mcc->len = __len8(0);
1064
1065 *ptr = __fcs(buf); ptr++;
1066
1067 return rfcomm_send_frame(s, buf, ptr - buf);
1068}
1069
1070static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1071{
1072 struct rfcomm_hdr *hdr;
1073 struct rfcomm_mcc *mcc;
1074 u8 buf[16], *ptr = buf;
1075
1076 BT_DBG("%p cr %d", s, cr);
1077
1078 hdr = (void *) ptr; ptr += sizeof(*hdr);
1079 hdr->addr = __addr(s->initiator, 0);
1080 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1081 hdr->len = __len8(sizeof(*mcc));
1082
1083 mcc = (void *) ptr; ptr += sizeof(*mcc);
1084 mcc->type = __mcc_type(cr, RFCOMM_FCON);
1085 mcc->len = __len8(0);
1086
1087 *ptr = __fcs(buf); ptr++;
1088
1089 return rfcomm_send_frame(s, buf, ptr - buf);
1090}
1091
1092static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1093{
1094 struct socket *sock = s->sock;
1095 struct kvec iv[3];
1096 struct msghdr msg;
1097 unsigned char hdr[5], crc[1];
1098
1099 if (len > 125)
1100 return -EINVAL;
1101
1102 BT_DBG("%p cr %d", s, cr);
1103
1104 hdr[0] = __addr(s->initiator, 0);
1105 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1106 hdr[2] = 0x01 | ((len + 2) << 1);
1107 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1108 hdr[4] = 0x01 | (len << 1);
1109
1110 crc[0] = __fcs(hdr);
1111
1112 iv[0].iov_base = hdr;
1113 iv[0].iov_len = 5;
1114 iv[1].iov_base = pattern;
1115 iv[1].iov_len = len;
1116 iv[2].iov_base = crc;
1117 iv[2].iov_len = 1;
1118
1119 memset(&msg, 0, sizeof(msg));
1120
1121 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1122}
1123
1124static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1125{
1126 struct rfcomm_hdr *hdr;
1127 u8 buf[16], *ptr = buf;
1128
1129 BT_DBG("%p addr %d credits %d", s, addr, credits);
1130
1131 hdr = (void *) ptr; ptr += sizeof(*hdr);
1132 hdr->addr = addr;
1133 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1134 hdr->len = __len8(0);
1135
1136 *ptr = credits; ptr++;
1137
1138 *ptr = __fcs(buf); ptr++;
1139
1140 return rfcomm_send_frame(s, buf, ptr - buf);
1141}
1142
1143static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1144{
1145 struct rfcomm_hdr *hdr;
1146 int len = skb->len;
1147 u8 *crc;
1148
1149 if (len > 127) {
1150 hdr = skb_push(skb, 4);
1151 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1152 } else {
1153 hdr = skb_push(skb, 3);
1154 hdr->len = __len8(len);
1155 }
1156 hdr->addr = addr;
1157 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1158
1159 crc = skb_put(skb, 1);
1160 *crc = __fcs((void *) hdr);
1161}
1162
1163/* ---- RFCOMM frame reception ---- */
1164static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1165{
1166 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1167
1168 if (dlci) {
1169 /* Data channel */
1170 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1171 if (!d) {
1172 rfcomm_send_dm(s, dlci);
1173 return s;
1174 }
1175
1176 switch (d->state) {
1177 case BT_CONNECT:
1178 rfcomm_dlc_clear_timer(d);
1179
1180 rfcomm_dlc_lock(d);
1181 d->state = BT_CONNECTED;
1182 d->state_change(d, 0);
1183 rfcomm_dlc_unlock(d);
1184
1185 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1186 break;
1187
1188 case BT_DISCONN:
1189 d->state = BT_CLOSED;
1190 __rfcomm_dlc_close(d, 0);
1191
1192 if (list_empty(&s->dlcs)) {
1193 s->state = BT_DISCONN;
1194 rfcomm_send_disc(s, 0);
1195 rfcomm_session_clear_timer(s);
1196 }
1197
1198 break;
1199 }
1200 } else {
1201 /* Control channel */
1202 switch (s->state) {
1203 case BT_CONNECT:
1204 s->state = BT_CONNECTED;
1205 rfcomm_process_connect(s);
1206 break;
1207
1208 case BT_DISCONN:
1209 s = rfcomm_session_close(s, ECONNRESET);
1210 break;
1211 }
1212 }
1213 return s;
1214}
1215
1216static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1217{
1218 int err = 0;
1219
1220 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1221
1222 if (dlci) {
1223 /* Data DLC */
1224 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1225 if (d) {
1226 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1227 err = ECONNREFUSED;
1228 else
1229 err = ECONNRESET;
1230
1231 d->state = BT_CLOSED;
1232 __rfcomm_dlc_close(d, err);
1233 }
1234 } else {
1235 if (s->state == BT_CONNECT)
1236 err = ECONNREFUSED;
1237 else
1238 err = ECONNRESET;
1239
1240 s = rfcomm_session_close(s, err);
1241 }
1242 return s;
1243}
1244
1245static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1246 u8 dlci)
1247{
1248 int err = 0;
1249
1250 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1251
1252 if (dlci) {
1253 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1254 if (d) {
1255 rfcomm_send_ua(s, dlci);
1256
1257 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1258 err = ECONNREFUSED;
1259 else
1260 err = ECONNRESET;
1261
1262 d->state = BT_CLOSED;
1263 __rfcomm_dlc_close(d, err);
1264 } else
1265 rfcomm_send_dm(s, dlci);
1266
1267 } else {
1268 rfcomm_send_ua(s, 0);
1269
1270 if (s->state == BT_CONNECT)
1271 err = ECONNREFUSED;
1272 else
1273 err = ECONNRESET;
1274
1275 s = rfcomm_session_close(s, err);
1276 }
1277 return s;
1278}
1279
1280void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1281{
1282 struct sock *sk = d->session->sock->sk;
1283 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1284
1285 BT_DBG("dlc %p", d);
1286
1287 rfcomm_send_ua(d->session, d->dlci);
1288
1289 rfcomm_dlc_clear_timer(d);
1290
1291 rfcomm_dlc_lock(d);
1292 d->state = BT_CONNECTED;
1293 d->state_change(d, 0);
1294 rfcomm_dlc_unlock(d);
1295
1296 if (d->role_switch)
1297 hci_conn_switch_role(conn->hcon, 0x00);
1298
1299 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1300}
1301
1302static void rfcomm_check_accept(struct rfcomm_dlc *d)
1303{
1304 if (rfcomm_check_security(d)) {
1305 if (d->defer_setup) {
1306 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1307 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1308
1309 rfcomm_dlc_lock(d);
1310 d->state = BT_CONNECT2;
1311 d->state_change(d, 0);
1312 rfcomm_dlc_unlock(d);
1313 } else
1314 rfcomm_dlc_accept(d);
1315 } else {
1316 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1317 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1318 }
1319}
1320
1321static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1322{
1323 struct rfcomm_dlc *d;
1324 u8 channel;
1325
1326 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1327
1328 if (!dlci) {
1329 rfcomm_send_ua(s, 0);
1330
1331 if (s->state == BT_OPEN) {
1332 s->state = BT_CONNECTED;
1333 rfcomm_process_connect(s);
1334 }
1335 return 0;
1336 }
1337
1338 /* Check if DLC exists */
1339 d = rfcomm_dlc_get(s, dlci);
1340 if (d) {
1341 if (d->state == BT_OPEN) {
1342 /* DLC was previously opened by PN request */
1343 rfcomm_check_accept(d);
1344 }
1345 return 0;
1346 }
1347
1348 /* Notify socket layer about incoming connection */
1349 channel = __srv_channel(dlci);
1350 if (rfcomm_connect_ind(s, channel, &d)) {
1351 d->dlci = dlci;
1352 d->addr = __addr(s->initiator, dlci);
1353 rfcomm_dlc_link(s, d);
1354
1355 rfcomm_check_accept(d);
1356 } else {
1357 rfcomm_send_dm(s, dlci);
1358 }
1359
1360 return 0;
1361}
1362
1363static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1364{
1365 struct rfcomm_session *s = d->session;
1366
1367 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1368 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1369
1370 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1371 pn->flow_ctrl == 0xe0) {
1372 d->cfc = RFCOMM_CFC_ENABLED;
1373 d->tx_credits = pn->credits;
1374 } else {
1375 d->cfc = RFCOMM_CFC_DISABLED;
1376 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1377 }
1378
1379 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1380 s->cfc = d->cfc;
1381
1382 d->priority = pn->priority;
1383
1384 d->mtu = __le16_to_cpu(pn->mtu);
1385
1386 if (cr && d->mtu > s->mtu)
1387 d->mtu = s->mtu;
1388
1389 return 0;
1390}
1391
1392static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1393{
1394 struct rfcomm_pn *pn = (void *) skb->data;
1395 struct rfcomm_dlc *d;
1396 u8 dlci = pn->dlci;
1397
1398 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1399
1400 if (!dlci)
1401 return 0;
1402
1403 d = rfcomm_dlc_get(s, dlci);
1404 if (d) {
1405 if (cr) {
1406 /* PN request */
1407 rfcomm_apply_pn(d, cr, pn);
1408 rfcomm_send_pn(s, 0, d);
1409 } else {
1410 /* PN response */
1411 switch (d->state) {
1412 case BT_CONFIG:
1413 rfcomm_apply_pn(d, cr, pn);
1414
1415 d->state = BT_CONNECT;
1416 rfcomm_send_sabm(s, d->dlci);
1417 break;
1418 }
1419 }
1420 } else {
1421 u8 channel = __srv_channel(dlci);
1422
1423 if (!cr)
1424 return 0;
1425
1426 /* PN request for non existing DLC.
1427 * Assume incoming connection. */
1428 if (rfcomm_connect_ind(s, channel, &d)) {
1429 d->dlci = dlci;
1430 d->addr = __addr(s->initiator, dlci);
1431 rfcomm_dlc_link(s, d);
1432
1433 rfcomm_apply_pn(d, cr, pn);
1434
1435 d->state = BT_OPEN;
1436 rfcomm_send_pn(s, 0, d);
1437 } else {
1438 rfcomm_send_dm(s, dlci);
1439 }
1440 }
1441 return 0;
1442}
1443
1444static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1445{
1446 struct rfcomm_rpn *rpn = (void *) skb->data;
1447 u8 dlci = __get_dlci(rpn->dlci);
1448
1449 u8 bit_rate = 0;
1450 u8 data_bits = 0;
1451 u8 stop_bits = 0;
1452 u8 parity = 0;
1453 u8 flow_ctrl = 0;
1454 u8 xon_char = 0;
1455 u8 xoff_char = 0;
1456 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1457
1458 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1459 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1460 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1461
1462 if (!cr)
1463 return 0;
1464
1465 if (len == 1) {
1466 /* This is a request, return default (according to ETSI TS 07.10) settings */
1467 bit_rate = RFCOMM_RPN_BR_9600;
1468 data_bits = RFCOMM_RPN_DATA_8;
1469 stop_bits = RFCOMM_RPN_STOP_1;
1470 parity = RFCOMM_RPN_PARITY_NONE;
1471 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1472 xon_char = RFCOMM_RPN_XON_CHAR;
1473 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1474 goto rpn_out;
1475 }
1476
1477 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1478 * no parity, no flow control lines, normal XON/XOFF chars */
1479
1480 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1481 bit_rate = rpn->bit_rate;
1482 if (bit_rate > RFCOMM_RPN_BR_230400) {
1483 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1484 bit_rate = RFCOMM_RPN_BR_9600;
1485 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1486 }
1487 }
1488
1489 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1490 data_bits = __get_rpn_data_bits(rpn->line_settings);
1491 if (data_bits != RFCOMM_RPN_DATA_8) {
1492 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1493 data_bits = RFCOMM_RPN_DATA_8;
1494 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1495 }
1496 }
1497
1498 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1499 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1500 if (stop_bits != RFCOMM_RPN_STOP_1) {
1501 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1502 stop_bits = RFCOMM_RPN_STOP_1;
1503 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1504 }
1505 }
1506
1507 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1508 parity = __get_rpn_parity(rpn->line_settings);
1509 if (parity != RFCOMM_RPN_PARITY_NONE) {
1510 BT_DBG("RPN parity mismatch 0x%x", parity);
1511 parity = RFCOMM_RPN_PARITY_NONE;
1512 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1513 }
1514 }
1515
1516 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1517 flow_ctrl = rpn->flow_ctrl;
1518 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1519 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1520 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1521 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1522 }
1523 }
1524
1525 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1526 xon_char = rpn->xon_char;
1527 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1528 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1529 xon_char = RFCOMM_RPN_XON_CHAR;
1530 rpn_mask ^= RFCOMM_RPN_PM_XON;
1531 }
1532 }
1533
1534 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1535 xoff_char = rpn->xoff_char;
1536 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1537 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1538 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1539 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1540 }
1541 }
1542
1543rpn_out:
1544 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1545 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1546
1547 return 0;
1548}
1549
1550static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1551{
1552 struct rfcomm_rls *rls = (void *) skb->data;
1553 u8 dlci = __get_dlci(rls->dlci);
1554
1555 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1556
1557 if (!cr)
1558 return 0;
1559
1560 /* We should probably do something with this information here. But
1561 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1562 * mandatory to recognise and respond to RLS */
1563
1564 rfcomm_send_rls(s, 0, dlci, rls->status);
1565
1566 return 0;
1567}
1568
1569static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1570{
1571 struct rfcomm_msc *msc = (void *) skb->data;
1572 struct rfcomm_dlc *d;
1573 u8 dlci = __get_dlci(msc->dlci);
1574
1575 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1576
1577 d = rfcomm_dlc_get(s, dlci);
1578 if (!d)
1579 return 0;
1580
1581 if (cr) {
1582 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1583 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1584 else
1585 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1586
1587 rfcomm_dlc_lock(d);
1588
1589 d->remote_v24_sig = msc->v24_sig;
1590
1591 if (d->modem_status)
1592 d->modem_status(d, msc->v24_sig);
1593
1594 rfcomm_dlc_unlock(d);
1595
1596 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1597
1598 d->mscex |= RFCOMM_MSCEX_RX;
1599 } else
1600 d->mscex |= RFCOMM_MSCEX_TX;
1601
1602 return 0;
1603}
1604
1605static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1606{
1607 struct rfcomm_mcc *mcc = (void *) skb->data;
1608 u8 type, cr, len;
1609
1610 cr = __test_cr(mcc->type);
1611 type = __get_mcc_type(mcc->type);
1612 len = __get_mcc_len(mcc->len);
1613
1614 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1615
1616 skb_pull(skb, 2);
1617
1618 switch (type) {
1619 case RFCOMM_PN:
1620 rfcomm_recv_pn(s, cr, skb);
1621 break;
1622
1623 case RFCOMM_RPN:
1624 rfcomm_recv_rpn(s, cr, len, skb);
1625 break;
1626
1627 case RFCOMM_RLS:
1628 rfcomm_recv_rls(s, cr, skb);
1629 break;
1630
1631 case RFCOMM_MSC:
1632 rfcomm_recv_msc(s, cr, skb);
1633 break;
1634
1635 case RFCOMM_FCOFF:
1636 if (cr) {
1637 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1638 rfcomm_send_fcoff(s, 0);
1639 }
1640 break;
1641
1642 case RFCOMM_FCON:
1643 if (cr) {
1644 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1645 rfcomm_send_fcon(s, 0);
1646 }
1647 break;
1648
1649 case RFCOMM_TEST:
1650 if (cr)
1651 rfcomm_send_test(s, 0, skb->data, skb->len);
1652 break;
1653
1654 case RFCOMM_NSC:
1655 break;
1656
1657 default:
1658 BT_ERR("Unknown control type 0x%02x", type);
1659 rfcomm_send_nsc(s, cr, type);
1660 break;
1661 }
1662 return 0;
1663}
1664
1665static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1666{
1667 struct rfcomm_dlc *d;
1668
1669 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1670
1671 d = rfcomm_dlc_get(s, dlci);
1672 if (!d) {
1673 rfcomm_send_dm(s, dlci);
1674 goto drop;
1675 }
1676
1677 if (pf && d->cfc) {
1678 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1679
1680 d->tx_credits += credits;
1681 if (d->tx_credits)
1682 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1683 }
1684
1685 if (skb->len && d->state == BT_CONNECTED) {
1686 rfcomm_dlc_lock(d);
1687 d->rx_credits--;
1688 d->data_ready(d, skb);
1689 rfcomm_dlc_unlock(d);
1690 return 0;
1691 }
1692
1693drop:
1694 kfree_skb(skb);
1695 return 0;
1696}
1697
1698static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1699 struct sk_buff *skb)
1700{
1701 struct rfcomm_hdr *hdr = (void *) skb->data;
1702 u8 type, dlci, fcs;
1703
1704 if (!s) {
1705 /* no session, so free socket data */
1706 kfree_skb(skb);
1707 return s;
1708 }
1709
1710 dlci = __get_dlci(hdr->addr);
1711 type = __get_type(hdr->ctrl);
1712
1713 /* Trim FCS */
1714 skb->len--; skb->tail--;
1715 fcs = *(u8 *)skb_tail_pointer(skb);
1716
1717 if (__check_fcs(skb->data, type, fcs)) {
1718 BT_ERR("bad checksum in packet");
1719 kfree_skb(skb);
1720 return s;
1721 }
1722
1723 if (__test_ea(hdr->len))
1724 skb_pull(skb, 3);
1725 else
1726 skb_pull(skb, 4);
1727
1728 switch (type) {
1729 case RFCOMM_SABM:
1730 if (__test_pf(hdr->ctrl))
1731 rfcomm_recv_sabm(s, dlci);
1732 break;
1733
1734 case RFCOMM_DISC:
1735 if (__test_pf(hdr->ctrl))
1736 s = rfcomm_recv_disc(s, dlci);
1737 break;
1738
1739 case RFCOMM_UA:
1740 if (__test_pf(hdr->ctrl))
1741 s = rfcomm_recv_ua(s, dlci);
1742 break;
1743
1744 case RFCOMM_DM:
1745 s = rfcomm_recv_dm(s, dlci);
1746 break;
1747
1748 case RFCOMM_UIH:
1749 if (dlci) {
1750 rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1751 return s;
1752 }
1753 rfcomm_recv_mcc(s, skb);
1754 break;
1755
1756 default:
1757 BT_ERR("Unknown packet type 0x%02x", type);
1758 break;
1759 }
1760 kfree_skb(skb);
1761 return s;
1762}
1763
1764/* ---- Connection and data processing ---- */
1765
1766static void rfcomm_process_connect(struct rfcomm_session *s)
1767{
1768 struct rfcomm_dlc *d, *n;
1769
1770 BT_DBG("session %p state %ld", s, s->state);
1771
1772 list_for_each_entry_safe(d, n, &s->dlcs, list) {
1773 if (d->state == BT_CONFIG) {
1774 d->mtu = s->mtu;
1775 if (rfcomm_check_security(d)) {
1776 rfcomm_send_pn(s, 1, d);
1777 } else {
1778 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1779 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1780 }
1781 }
1782 }
1783}
1784
1785/* Send data queued for the DLC.
1786 * Return number of frames left in the queue.
1787 */
1788static int rfcomm_process_tx(struct rfcomm_dlc *d)
1789{
1790 struct sk_buff *skb;
1791 int err;
1792
1793 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1794 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1795
1796 /* Send pending MSC */
1797 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1798 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1799
1800 if (d->cfc) {
1801 /* CFC enabled.
1802 * Give them some credits */
1803 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1804 d->rx_credits <= (d->cfc >> 2)) {
1805 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1806 d->rx_credits = d->cfc;
1807 }
1808 } else {
1809 /* CFC disabled.
1810 * Give ourselves some credits */
1811 d->tx_credits = 5;
1812 }
1813
1814 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1815 return skb_queue_len(&d->tx_queue);
1816
1817 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1818 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1819 if (err < 0) {
1820 skb_queue_head(&d->tx_queue, skb);
1821 break;
1822 }
1823 kfree_skb(skb);
1824 d->tx_credits--;
1825 }
1826
1827 if (d->cfc && !d->tx_credits) {
1828 /* We're out of TX credits.
1829 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1830 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1831 }
1832
1833 return skb_queue_len(&d->tx_queue);
1834}
1835
1836static void rfcomm_process_dlcs(struct rfcomm_session *s)
1837{
1838 struct rfcomm_dlc *d, *n;
1839
1840 BT_DBG("session %p state %ld", s, s->state);
1841
1842 list_for_each_entry_safe(d, n, &s->dlcs, list) {
1843 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1844 __rfcomm_dlc_close(d, ETIMEDOUT);
1845 continue;
1846 }
1847
1848 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1849 __rfcomm_dlc_close(d, ECONNREFUSED);
1850 continue;
1851 }
1852
1853 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1854 rfcomm_dlc_clear_timer(d);
1855 if (d->out) {
1856 rfcomm_send_pn(s, 1, d);
1857 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1858 } else {
1859 if (d->defer_setup) {
1860 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1861 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1862
1863 rfcomm_dlc_lock(d);
1864 d->state = BT_CONNECT2;
1865 d->state_change(d, 0);
1866 rfcomm_dlc_unlock(d);
1867 } else
1868 rfcomm_dlc_accept(d);
1869 }
1870 continue;
1871 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1872 rfcomm_dlc_clear_timer(d);
1873 if (!d->out)
1874 rfcomm_send_dm(s, d->dlci);
1875 else
1876 d->state = BT_CLOSED;
1877 __rfcomm_dlc_close(d, ECONNREFUSED);
1878 continue;
1879 }
1880
1881 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1882 continue;
1883
1884 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1885 continue;
1886
1887 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1888 d->mscex == RFCOMM_MSCEX_OK)
1889 rfcomm_process_tx(d);
1890 }
1891}
1892
1893static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1894{
1895 struct socket *sock = s->sock;
1896 struct sock *sk = sock->sk;
1897 struct sk_buff *skb;
1898
1899 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1900
1901 /* Get data directly from socket receive queue without copying it. */
1902 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1903 skb_orphan(skb);
1904 if (!skb_linearize(skb)) {
1905 s = rfcomm_recv_frame(s, skb);
1906 if (!s)
1907 break;
1908 } else {
1909 kfree_skb(skb);
1910 }
1911 }
1912
1913 if (s && (sk->sk_state == BT_CLOSED))
1914 s = rfcomm_session_close(s, sk->sk_err);
1915
1916 return s;
1917}
1918
1919static void rfcomm_accept_connection(struct rfcomm_session *s)
1920{
1921 struct socket *sock = s->sock, *nsock;
1922 int err;
1923
1924 /* Fast check for a new connection.
1925 * Avoids unnesesary socket allocations. */
1926 if (list_empty(&bt_sk(sock->sk)->accept_q))
1927 return;
1928
1929 BT_DBG("session %p", s);
1930
1931 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1932 if (err < 0)
1933 return;
1934
1935 /* Set our callbacks */
1936 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1937 nsock->sk->sk_state_change = rfcomm_l2state_change;
1938
1939 s = rfcomm_session_add(nsock, BT_OPEN);
1940 if (s) {
1941 /* We should adjust MTU on incoming sessions.
1942 * L2CAP MTU minus UIH header and FCS. */
1943 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1944 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1945
1946 rfcomm_schedule();
1947 } else
1948 sock_release(nsock);
1949}
1950
1951static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1952{
1953 struct sock *sk = s->sock->sk;
1954
1955 BT_DBG("%p state %ld", s, s->state);
1956
1957 switch (sk->sk_state) {
1958 case BT_CONNECTED:
1959 s->state = BT_CONNECT;
1960
1961 /* We can adjust MTU on outgoing sessions.
1962 * L2CAP MTU minus UIH header and FCS. */
1963 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1964
1965 rfcomm_send_sabm(s, 0);
1966 break;
1967
1968 case BT_CLOSED:
1969 s = rfcomm_session_close(s, sk->sk_err);
1970 break;
1971 }
1972 return s;
1973}
1974
1975static void rfcomm_process_sessions(void)
1976{
1977 struct rfcomm_session *s, *n;
1978
1979 rfcomm_lock();
1980
1981 list_for_each_entry_safe(s, n, &session_list, list) {
1982 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1983 s->state = BT_DISCONN;
1984 rfcomm_send_disc(s, 0);
1985 continue;
1986 }
1987
1988 switch (s->state) {
1989 case BT_LISTEN:
1990 rfcomm_accept_connection(s);
1991 continue;
1992
1993 case BT_BOUND:
1994 s = rfcomm_check_connection(s);
1995 break;
1996
1997 default:
1998 s = rfcomm_process_rx(s);
1999 break;
2000 }
2001
2002 if (s)
2003 rfcomm_process_dlcs(s);
2004 }
2005
2006 rfcomm_unlock();
2007}
2008
2009static int rfcomm_add_listener(bdaddr_t *ba)
2010{
2011 struct sockaddr_l2 addr;
2012 struct socket *sock;
2013 struct sock *sk;
2014 struct rfcomm_session *s;
2015 int err = 0;
2016
2017 /* Create socket */
2018 err = rfcomm_l2sock_create(&sock);
2019 if (err < 0) {
2020 BT_ERR("Create socket failed %d", err);
2021 return err;
2022 }
2023
2024 /* Bind socket */
2025 bacpy(&addr.l2_bdaddr, ba);
2026 addr.l2_family = AF_BLUETOOTH;
2027 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM);
2028 addr.l2_cid = 0;
2029 addr.l2_bdaddr_type = BDADDR_BREDR;
2030 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2031 if (err < 0) {
2032 BT_ERR("Bind failed %d", err);
2033 goto failed;
2034 }
2035
2036 /* Set L2CAP options */
2037 sk = sock->sk;
2038 lock_sock(sk);
2039 /* Set MTU to 0 so L2CAP can auto select the MTU */
2040 l2cap_pi(sk)->chan->imtu = 0;
2041 release_sock(sk);
2042
2043 /* Start listening on the socket */
2044 err = kernel_listen(sock, 10);
2045 if (err) {
2046 BT_ERR("Listen failed %d", err);
2047 goto failed;
2048 }
2049
2050 /* Add listening session */
2051 s = rfcomm_session_add(sock, BT_LISTEN);
2052 if (!s) {
2053 err = -ENOMEM;
2054 goto failed;
2055 }
2056
2057 return 0;
2058failed:
2059 sock_release(sock);
2060 return err;
2061}
2062
2063static void rfcomm_kill_listener(void)
2064{
2065 struct rfcomm_session *s, *n;
2066
2067 BT_DBG("");
2068
2069 list_for_each_entry_safe(s, n, &session_list, list)
2070 rfcomm_session_del(s);
2071}
2072
2073static int rfcomm_run(void *unused)
2074{
2075 DEFINE_WAIT_FUNC(wait, woken_wake_function);
2076 BT_DBG("");
2077
2078 set_user_nice(current, -10);
2079
2080 rfcomm_add_listener(BDADDR_ANY);
2081
2082 add_wait_queue(&rfcomm_wq, &wait);
2083 while (!kthread_should_stop()) {
2084
2085 /* Process stuff */
2086 rfcomm_process_sessions();
2087
2088 wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
2089 }
2090 remove_wait_queue(&rfcomm_wq, &wait);
2091
2092 rfcomm_kill_listener();
2093
2094 return 0;
2095}
2096
2097static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2098{
2099 struct rfcomm_session *s;
2100 struct rfcomm_dlc *d, *n;
2101
2102 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2103
2104 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2105 if (!s)
2106 return;
2107
2108 list_for_each_entry_safe(d, n, &s->dlcs, list) {
2109 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2110 rfcomm_dlc_clear_timer(d);
2111 if (status || encrypt == 0x00) {
2112 set_bit(RFCOMM_ENC_DROP, &d->flags);
2113 continue;
2114 }
2115 }
2116
2117 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2118 if (d->sec_level == BT_SECURITY_MEDIUM) {
2119 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2120 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2121 continue;
2122 } else if (d->sec_level == BT_SECURITY_HIGH ||
2123 d->sec_level == BT_SECURITY_FIPS) {
2124 set_bit(RFCOMM_ENC_DROP, &d->flags);
2125 continue;
2126 }
2127 }
2128
2129 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2130 continue;
2131
2132 if (!status && hci_conn_check_secure(conn, d->sec_level))
2133 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2134 else
2135 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2136 }
2137
2138 rfcomm_schedule();
2139}
2140
2141static struct hci_cb rfcomm_cb = {
2142 .name = "RFCOMM",
2143 .security_cfm = rfcomm_security_cfm
2144};
2145
2146static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2147{
2148 struct rfcomm_session *s;
2149
2150 rfcomm_lock();
2151
2152 list_for_each_entry(s, &session_list, list) {
2153 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
2154 struct rfcomm_dlc *d;
2155 list_for_each_entry(d, &s->dlcs, list) {
2156 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2157 &chan->src, &chan->dst,
2158 d->state, d->dlci, d->mtu,
2159 d->rx_credits, d->tx_credits);
2160 }
2161 }
2162
2163 rfcomm_unlock();
2164
2165 return 0;
2166}
2167
2168DEFINE_SHOW_ATTRIBUTE(rfcomm_dlc_debugfs);
2169
2170static struct dentry *rfcomm_dlc_debugfs;
2171
2172/* ---- Initialization ---- */
2173static int __init rfcomm_init(void)
2174{
2175 int err;
2176
2177 hci_register_cb(&rfcomm_cb);
2178
2179 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2180 if (IS_ERR(rfcomm_thread)) {
2181 err = PTR_ERR(rfcomm_thread);
2182 goto unregister;
2183 }
2184
2185 err = rfcomm_init_ttys();
2186 if (err < 0)
2187 goto stop;
2188
2189 err = rfcomm_init_sockets();
2190 if (err < 0)
2191 goto cleanup;
2192
2193 BT_INFO("RFCOMM ver %s", VERSION);
2194
2195 if (IS_ERR_OR_NULL(bt_debugfs))
2196 return 0;
2197
2198 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2199 bt_debugfs, NULL,
2200 &rfcomm_dlc_debugfs_fops);
2201
2202 return 0;
2203
2204cleanup:
2205 rfcomm_cleanup_ttys();
2206
2207stop:
2208 kthread_stop(rfcomm_thread);
2209
2210unregister:
2211 hci_unregister_cb(&rfcomm_cb);
2212
2213 return err;
2214}
2215
2216static void __exit rfcomm_exit(void)
2217{
2218 debugfs_remove(rfcomm_dlc_debugfs);
2219
2220 hci_unregister_cb(&rfcomm_cb);
2221
2222 kthread_stop(rfcomm_thread);
2223
2224 rfcomm_cleanup_ttys();
2225
2226 rfcomm_cleanup_sockets();
2227}
2228
2229module_init(rfcomm_init);
2230module_exit(rfcomm_exit);
2231
2232module_param(disable_cfc, bool, 0644);
2233MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2234
2235module_param(channel_mtu, int, 0644);
2236MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2237
2238module_param(l2cap_ertm, bool, 0644);
2239MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2240
2241MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2242MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2243MODULE_VERSION(VERSION);
2244MODULE_LICENSE("GPL");
2245MODULE_ALIAS("bt-proto-3");