Loading...
1/*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22*/
23
24/*
25 * Bluetooth RFCOMM core.
26 */
27
28#include <linux/module.h>
29#include <linux/debugfs.h>
30#include <linux/kthread.h>
31#include <asm/unaligned.h>
32
33#include <net/bluetooth/bluetooth.h>
34#include <net/bluetooth/hci_core.h>
35#include <net/bluetooth/l2cap.h>
36#include <net/bluetooth/rfcomm.h>
37
38#define VERSION "1.11"
39
40static bool disable_cfc;
41static bool l2cap_ertm;
42static int channel_mtu = -1;
43static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44
45static struct task_struct *rfcomm_thread;
46
47static DEFINE_MUTEX(rfcomm_mutex);
48#define rfcomm_lock() mutex_lock(&rfcomm_mutex)
49#define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
50
51
52static LIST_HEAD(session_list);
53
54static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
55static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64
65static void rfcomm_process_connect(struct rfcomm_session *s);
66
67static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68 bdaddr_t *dst,
69 u8 sec_level,
70 int *err);
71static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
72static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
73
74/* ---- RFCOMM frame parsing macros ---- */
75#define __get_dlci(b) ((b & 0xfc) >> 2)
76#define __get_channel(b) ((b & 0xf8) >> 3)
77#define __get_dir(b) ((b & 0x04) >> 2)
78#define __get_type(b) ((b & 0xef))
79
80#define __test_ea(b) ((b & 0x01))
81#define __test_cr(b) (!!(b & 0x02))
82#define __test_pf(b) (!!(b & 0x10))
83
84#define __session_dir(s) ((s)->initiator ? 0x00 : 0x01)
85
86#define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
87#define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
88#define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
89#define __srv_channel(dlci) (dlci >> 1)
90#define __dir(dlci) (dlci & 0x01)
91
92#define __len8(len) (((len) << 1) | 1)
93#define __len16(len) ((len) << 1)
94
95/* MCC macros */
96#define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
97#define __get_mcc_type(b) ((b & 0xfc) >> 2)
98#define __get_mcc_len(b) ((b & 0xfe) >> 1)
99
100/* RPN macros */
101#define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
102#define __get_rpn_data_bits(line) ((line) & 0x3)
103#define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
104#define __get_rpn_parity(line) (((line) >> 3) & 0x7)
105
106static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq);
107
108static void rfcomm_schedule(void)
109{
110 wake_up_all(&rfcomm_wq);
111}
112
113/* ---- RFCOMM FCS computation ---- */
114
115/* reversed, 8-bit, poly=0x07 */
116static unsigned char rfcomm_crc_table[256] = {
117 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
118 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
119 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
120 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
121
122 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
123 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
124 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
125 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
126
127 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
128 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
129 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
130 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
131
132 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
133 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
134 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
135 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
136
137 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
138 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
139 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
140 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
141
142 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
143 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
144 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
145 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
146
147 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
148 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
149 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
150 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
151
152 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
153 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
154 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
155 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
156};
157
158/* CRC on 2 bytes */
159#define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
160
161/* FCS on 2 bytes */
162static inline u8 __fcs(u8 *data)
163{
164 return 0xff - __crc(data);
165}
166
167/* FCS on 3 bytes */
168static inline u8 __fcs2(u8 *data)
169{
170 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
171}
172
173/* Check FCS */
174static inline int __check_fcs(u8 *data, int type, u8 fcs)
175{
176 u8 f = __crc(data);
177
178 if (type != RFCOMM_UIH)
179 f = rfcomm_crc_table[f ^ data[2]];
180
181 return rfcomm_crc_table[f ^ fcs] != 0xcf;
182}
183
184/* ---- L2CAP callbacks ---- */
185static void rfcomm_l2state_change(struct sock *sk)
186{
187 BT_DBG("%p state %d", sk, sk->sk_state);
188 rfcomm_schedule();
189}
190
191static void rfcomm_l2data_ready(struct sock *sk)
192{
193 BT_DBG("%p", sk);
194 rfcomm_schedule();
195}
196
197static int rfcomm_l2sock_create(struct socket **sock)
198{
199 int err;
200
201 BT_DBG("");
202
203 err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
204 if (!err) {
205 struct sock *sk = (*sock)->sk;
206 sk->sk_data_ready = rfcomm_l2data_ready;
207 sk->sk_state_change = rfcomm_l2state_change;
208 }
209 return err;
210}
211
212static int rfcomm_check_security(struct rfcomm_dlc *d)
213{
214 struct sock *sk = d->session->sock->sk;
215 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
216
217 __u8 auth_type;
218
219 switch (d->sec_level) {
220 case BT_SECURITY_HIGH:
221 case BT_SECURITY_FIPS:
222 auth_type = HCI_AT_GENERAL_BONDING_MITM;
223 break;
224 case BT_SECURITY_MEDIUM:
225 auth_type = HCI_AT_GENERAL_BONDING;
226 break;
227 default:
228 auth_type = HCI_AT_NO_BONDING;
229 break;
230 }
231
232 return hci_conn_security(conn->hcon, d->sec_level, auth_type,
233 d->out);
234}
235
236static void rfcomm_session_timeout(unsigned long arg)
237{
238 struct rfcomm_session *s = (void *) arg;
239
240 BT_DBG("session %p state %ld", s, s->state);
241
242 set_bit(RFCOMM_TIMED_OUT, &s->flags);
243 rfcomm_schedule();
244}
245
246static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
247{
248 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
249
250 mod_timer(&s->timer, jiffies + timeout);
251}
252
253static void rfcomm_session_clear_timer(struct rfcomm_session *s)
254{
255 BT_DBG("session %p state %ld", s, s->state);
256
257 del_timer_sync(&s->timer);
258}
259
260/* ---- RFCOMM DLCs ---- */
261static void rfcomm_dlc_timeout(unsigned long arg)
262{
263 struct rfcomm_dlc *d = (void *) arg;
264
265 BT_DBG("dlc %p state %ld", d, d->state);
266
267 set_bit(RFCOMM_TIMED_OUT, &d->flags);
268 rfcomm_dlc_put(d);
269 rfcomm_schedule();
270}
271
272static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
273{
274 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
275
276 if (!mod_timer(&d->timer, jiffies + timeout))
277 rfcomm_dlc_hold(d);
278}
279
280static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
281{
282 BT_DBG("dlc %p state %ld", d, d->state);
283
284 if (del_timer(&d->timer))
285 rfcomm_dlc_put(d);
286}
287
288static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
289{
290 BT_DBG("%p", d);
291
292 d->state = BT_OPEN;
293 d->flags = 0;
294 d->mscex = 0;
295 d->sec_level = BT_SECURITY_LOW;
296 d->mtu = RFCOMM_DEFAULT_MTU;
297 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
298
299 d->cfc = RFCOMM_CFC_DISABLED;
300 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
301}
302
303struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
304{
305 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
306
307 if (!d)
308 return NULL;
309
310 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
311
312 skb_queue_head_init(&d->tx_queue);
313 mutex_init(&d->lock);
314 atomic_set(&d->refcnt, 1);
315
316 rfcomm_dlc_clear_state(d);
317
318 BT_DBG("%p", d);
319
320 return d;
321}
322
323void rfcomm_dlc_free(struct rfcomm_dlc *d)
324{
325 BT_DBG("%p", d);
326
327 skb_queue_purge(&d->tx_queue);
328 kfree(d);
329}
330
331static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
332{
333 BT_DBG("dlc %p session %p", d, s);
334
335 rfcomm_session_clear_timer(s);
336 rfcomm_dlc_hold(d);
337 list_add(&d->list, &s->dlcs);
338 d->session = s;
339}
340
341static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
342{
343 struct rfcomm_session *s = d->session;
344
345 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
346
347 list_del(&d->list);
348 d->session = NULL;
349 rfcomm_dlc_put(d);
350
351 if (list_empty(&s->dlcs))
352 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
353}
354
355static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
356{
357 struct rfcomm_dlc *d;
358
359 list_for_each_entry(d, &s->dlcs, list)
360 if (d->dlci == dlci)
361 return d;
362
363 return NULL;
364}
365
366static int rfcomm_check_channel(u8 channel)
367{
368 return channel < 1 || channel > 30;
369}
370
371static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
372{
373 struct rfcomm_session *s;
374 int err = 0;
375 u8 dlci;
376
377 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
378 d, d->state, src, dst, channel);
379
380 if (rfcomm_check_channel(channel))
381 return -EINVAL;
382
383 if (d->state != BT_OPEN && d->state != BT_CLOSED)
384 return 0;
385
386 s = rfcomm_session_get(src, dst);
387 if (!s) {
388 s = rfcomm_session_create(src, dst, d->sec_level, &err);
389 if (!s)
390 return err;
391 }
392
393 dlci = __dlci(__session_dir(s), channel);
394
395 /* Check if DLCI already exists */
396 if (rfcomm_dlc_get(s, dlci))
397 return -EBUSY;
398
399 rfcomm_dlc_clear_state(d);
400
401 d->dlci = dlci;
402 d->addr = __addr(s->initiator, dlci);
403 d->priority = 7;
404
405 d->state = BT_CONFIG;
406 rfcomm_dlc_link(s, d);
407
408 d->out = 1;
409
410 d->mtu = s->mtu;
411 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
412
413 if (s->state == BT_CONNECTED) {
414 if (rfcomm_check_security(d))
415 rfcomm_send_pn(s, 1, d);
416 else
417 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
418 }
419
420 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
421
422 return 0;
423}
424
425int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
426{
427 int r;
428
429 rfcomm_lock();
430
431 r = __rfcomm_dlc_open(d, src, dst, channel);
432
433 rfcomm_unlock();
434 return r;
435}
436
437static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d)
438{
439 struct rfcomm_session *s = d->session;
440
441 d->state = BT_DISCONN;
442 if (skb_queue_empty(&d->tx_queue)) {
443 rfcomm_send_disc(s, d->dlci);
444 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
445 } else {
446 rfcomm_queue_disc(d);
447 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
448 }
449}
450
451static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
452{
453 struct rfcomm_session *s = d->session;
454 if (!s)
455 return 0;
456
457 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
458 d, d->state, d->dlci, err, s);
459
460 switch (d->state) {
461 case BT_CONNECT:
462 case BT_CONFIG:
463 case BT_OPEN:
464 case BT_CONNECT2:
465 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
466 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
467 rfcomm_schedule();
468 return 0;
469 }
470 }
471
472 switch (d->state) {
473 case BT_CONNECT:
474 case BT_CONNECTED:
475 __rfcomm_dlc_disconn(d);
476 break;
477
478 case BT_CONFIG:
479 if (s->state != BT_BOUND) {
480 __rfcomm_dlc_disconn(d);
481 break;
482 }
483 /* if closing a dlc in a session that hasn't been started,
484 * just close and unlink the dlc
485 */
486
487 default:
488 rfcomm_dlc_clear_timer(d);
489
490 rfcomm_dlc_lock(d);
491 d->state = BT_CLOSED;
492 d->state_change(d, err);
493 rfcomm_dlc_unlock(d);
494
495 skb_queue_purge(&d->tx_queue);
496 rfcomm_dlc_unlink(d);
497 }
498
499 return 0;
500}
501
502int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
503{
504 int r = 0;
505 struct rfcomm_dlc *d_list;
506 struct rfcomm_session *s, *s_list;
507
508 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
509
510 rfcomm_lock();
511
512 s = d->session;
513 if (!s)
514 goto no_session;
515
516 /* after waiting on the mutex check the session still exists
517 * then check the dlc still exists
518 */
519 list_for_each_entry(s_list, &session_list, list) {
520 if (s_list == s) {
521 list_for_each_entry(d_list, &s->dlcs, list) {
522 if (d_list == d) {
523 r = __rfcomm_dlc_close(d, err);
524 break;
525 }
526 }
527 break;
528 }
529 }
530
531no_session:
532 rfcomm_unlock();
533 return r;
534}
535
536struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
537{
538 struct rfcomm_session *s;
539 struct rfcomm_dlc *dlc = NULL;
540 u8 dlci;
541
542 if (rfcomm_check_channel(channel))
543 return ERR_PTR(-EINVAL);
544
545 rfcomm_lock();
546 s = rfcomm_session_get(src, dst);
547 if (s) {
548 dlci = __dlci(__session_dir(s), channel);
549 dlc = rfcomm_dlc_get(s, dlci);
550 }
551 rfcomm_unlock();
552 return dlc;
553}
554
555int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
556{
557 int len = skb->len;
558
559 if (d->state != BT_CONNECTED)
560 return -ENOTCONN;
561
562 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
563
564 if (len > d->mtu)
565 return -EINVAL;
566
567 rfcomm_make_uih(skb, d->addr);
568 skb_queue_tail(&d->tx_queue, skb);
569
570 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
571 rfcomm_schedule();
572 return len;
573}
574
575void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb)
576{
577 int len = skb->len;
578
579 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
580
581 rfcomm_make_uih(skb, d->addr);
582 skb_queue_tail(&d->tx_queue, skb);
583
584 if (d->state == BT_CONNECTED &&
585 !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
586 rfcomm_schedule();
587}
588
589void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
590{
591 BT_DBG("dlc %p state %ld", d, d->state);
592
593 if (!d->cfc) {
594 d->v24_sig |= RFCOMM_V24_FC;
595 set_bit(RFCOMM_MSC_PENDING, &d->flags);
596 }
597 rfcomm_schedule();
598}
599
600void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
601{
602 BT_DBG("dlc %p state %ld", d, d->state);
603
604 if (!d->cfc) {
605 d->v24_sig &= ~RFCOMM_V24_FC;
606 set_bit(RFCOMM_MSC_PENDING, &d->flags);
607 }
608 rfcomm_schedule();
609}
610
611/*
612 Set/get modem status functions use _local_ status i.e. what we report
613 to the other side.
614 Remote status is provided by dlc->modem_status() callback.
615 */
616int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
617{
618 BT_DBG("dlc %p state %ld v24_sig 0x%x",
619 d, d->state, v24_sig);
620
621 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
622 v24_sig |= RFCOMM_V24_FC;
623 else
624 v24_sig &= ~RFCOMM_V24_FC;
625
626 d->v24_sig = v24_sig;
627
628 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
629 rfcomm_schedule();
630
631 return 0;
632}
633
634int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
635{
636 BT_DBG("dlc %p state %ld v24_sig 0x%x",
637 d, d->state, d->v24_sig);
638
639 *v24_sig = d->v24_sig;
640 return 0;
641}
642
643/* ---- RFCOMM sessions ---- */
644static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
645{
646 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
647
648 if (!s)
649 return NULL;
650
651 BT_DBG("session %p sock %p", s, sock);
652
653 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
654
655 INIT_LIST_HEAD(&s->dlcs);
656 s->state = state;
657 s->sock = sock;
658
659 s->mtu = RFCOMM_DEFAULT_MTU;
660 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
661
662 /* Do not increment module usage count for listening sessions.
663 * Otherwise we won't be able to unload the module. */
664 if (state != BT_LISTEN)
665 if (!try_module_get(THIS_MODULE)) {
666 kfree(s);
667 return NULL;
668 }
669
670 list_add(&s->list, &session_list);
671
672 return s;
673}
674
675static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
676{
677 int state = s->state;
678
679 BT_DBG("session %p state %ld", s, s->state);
680
681 list_del(&s->list);
682
683 rfcomm_session_clear_timer(s);
684 sock_release(s->sock);
685 kfree(s);
686
687 if (state != BT_LISTEN)
688 module_put(THIS_MODULE);
689
690 return NULL;
691}
692
693static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
694{
695 struct rfcomm_session *s, *n;
696 struct l2cap_chan *chan;
697 list_for_each_entry_safe(s, n, &session_list, list) {
698 chan = l2cap_pi(s->sock->sk)->chan;
699
700 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) &&
701 !bacmp(&chan->dst, dst))
702 return s;
703 }
704 return NULL;
705}
706
707static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
708 int err)
709{
710 struct rfcomm_dlc *d, *n;
711
712 s->state = BT_CLOSED;
713
714 BT_DBG("session %p state %ld err %d", s, s->state, err);
715
716 /* Close all dlcs */
717 list_for_each_entry_safe(d, n, &s->dlcs, list) {
718 d->state = BT_CLOSED;
719 __rfcomm_dlc_close(d, err);
720 }
721
722 rfcomm_session_clear_timer(s);
723 return rfcomm_session_del(s);
724}
725
726static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
727 bdaddr_t *dst,
728 u8 sec_level,
729 int *err)
730{
731 struct rfcomm_session *s = NULL;
732 struct sockaddr_l2 addr;
733 struct socket *sock;
734 struct sock *sk;
735
736 BT_DBG("%pMR -> %pMR", src, dst);
737
738 *err = rfcomm_l2sock_create(&sock);
739 if (*err < 0)
740 return NULL;
741
742 bacpy(&addr.l2_bdaddr, src);
743 addr.l2_family = AF_BLUETOOTH;
744 addr.l2_psm = 0;
745 addr.l2_cid = 0;
746 addr.l2_bdaddr_type = BDADDR_BREDR;
747 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
748 if (*err < 0)
749 goto failed;
750
751 /* Set L2CAP options */
752 sk = sock->sk;
753 lock_sock(sk);
754 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
755 l2cap_pi(sk)->chan->sec_level = sec_level;
756 if (l2cap_ertm)
757 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
758 release_sock(sk);
759
760 s = rfcomm_session_add(sock, BT_BOUND);
761 if (!s) {
762 *err = -ENOMEM;
763 goto failed;
764 }
765
766 s->initiator = 1;
767
768 bacpy(&addr.l2_bdaddr, dst);
769 addr.l2_family = AF_BLUETOOTH;
770 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM);
771 addr.l2_cid = 0;
772 addr.l2_bdaddr_type = BDADDR_BREDR;
773 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
774 if (*err == 0 || *err == -EINPROGRESS)
775 return s;
776
777 return rfcomm_session_del(s);
778
779failed:
780 sock_release(sock);
781 return NULL;
782}
783
784void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
785{
786 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
787 if (src)
788 bacpy(src, &chan->src);
789 if (dst)
790 bacpy(dst, &chan->dst);
791}
792
793/* ---- RFCOMM frame sending ---- */
794static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
795{
796 struct kvec iv = { data, len };
797 struct msghdr msg;
798
799 BT_DBG("session %p len %d", s, len);
800
801 memset(&msg, 0, sizeof(msg));
802
803 return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
804}
805
806static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
807{
808 BT_DBG("%p cmd %u", s, cmd->ctrl);
809
810 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
811}
812
813static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
814{
815 struct rfcomm_cmd cmd;
816
817 BT_DBG("%p dlci %d", s, dlci);
818
819 cmd.addr = __addr(s->initiator, dlci);
820 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
821 cmd.len = __len8(0);
822 cmd.fcs = __fcs2((u8 *) &cmd);
823
824 return rfcomm_send_cmd(s, &cmd);
825}
826
827static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
828{
829 struct rfcomm_cmd cmd;
830
831 BT_DBG("%p dlci %d", s, dlci);
832
833 cmd.addr = __addr(!s->initiator, dlci);
834 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
835 cmd.len = __len8(0);
836 cmd.fcs = __fcs2((u8 *) &cmd);
837
838 return rfcomm_send_cmd(s, &cmd);
839}
840
841static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
842{
843 struct rfcomm_cmd cmd;
844
845 BT_DBG("%p dlci %d", s, dlci);
846
847 cmd.addr = __addr(s->initiator, dlci);
848 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
849 cmd.len = __len8(0);
850 cmd.fcs = __fcs2((u8 *) &cmd);
851
852 return rfcomm_send_cmd(s, &cmd);
853}
854
855static int rfcomm_queue_disc(struct rfcomm_dlc *d)
856{
857 struct rfcomm_cmd *cmd;
858 struct sk_buff *skb;
859
860 BT_DBG("dlc %p dlci %d", d, d->dlci);
861
862 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
863 if (!skb)
864 return -ENOMEM;
865
866 cmd = (void *) __skb_put(skb, sizeof(*cmd));
867 cmd->addr = d->addr;
868 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
869 cmd->len = __len8(0);
870 cmd->fcs = __fcs2((u8 *) cmd);
871
872 skb_queue_tail(&d->tx_queue, skb);
873 rfcomm_schedule();
874 return 0;
875}
876
877static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
878{
879 struct rfcomm_cmd cmd;
880
881 BT_DBG("%p dlci %d", s, dlci);
882
883 cmd.addr = __addr(!s->initiator, dlci);
884 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
885 cmd.len = __len8(0);
886 cmd.fcs = __fcs2((u8 *) &cmd);
887
888 return rfcomm_send_cmd(s, &cmd);
889}
890
891static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
892{
893 struct rfcomm_hdr *hdr;
894 struct rfcomm_mcc *mcc;
895 u8 buf[16], *ptr = buf;
896
897 BT_DBG("%p cr %d type %d", s, cr, type);
898
899 hdr = (void *) ptr; ptr += sizeof(*hdr);
900 hdr->addr = __addr(s->initiator, 0);
901 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
902 hdr->len = __len8(sizeof(*mcc) + 1);
903
904 mcc = (void *) ptr; ptr += sizeof(*mcc);
905 mcc->type = __mcc_type(0, RFCOMM_NSC);
906 mcc->len = __len8(1);
907
908 /* Type that we didn't like */
909 *ptr = __mcc_type(cr, type); ptr++;
910
911 *ptr = __fcs(buf); ptr++;
912
913 return rfcomm_send_frame(s, buf, ptr - buf);
914}
915
916static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
917{
918 struct rfcomm_hdr *hdr;
919 struct rfcomm_mcc *mcc;
920 struct rfcomm_pn *pn;
921 u8 buf[16], *ptr = buf;
922
923 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
924
925 hdr = (void *) ptr; ptr += sizeof(*hdr);
926 hdr->addr = __addr(s->initiator, 0);
927 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
928 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
929
930 mcc = (void *) ptr; ptr += sizeof(*mcc);
931 mcc->type = __mcc_type(cr, RFCOMM_PN);
932 mcc->len = __len8(sizeof(*pn));
933
934 pn = (void *) ptr; ptr += sizeof(*pn);
935 pn->dlci = d->dlci;
936 pn->priority = d->priority;
937 pn->ack_timer = 0;
938 pn->max_retrans = 0;
939
940 if (s->cfc) {
941 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
942 pn->credits = RFCOMM_DEFAULT_CREDITS;
943 } else {
944 pn->flow_ctrl = 0;
945 pn->credits = 0;
946 }
947
948 if (cr && channel_mtu >= 0)
949 pn->mtu = cpu_to_le16(channel_mtu);
950 else
951 pn->mtu = cpu_to_le16(d->mtu);
952
953 *ptr = __fcs(buf); ptr++;
954
955 return rfcomm_send_frame(s, buf, ptr - buf);
956}
957
958int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
959 u8 bit_rate, u8 data_bits, u8 stop_bits,
960 u8 parity, u8 flow_ctrl_settings,
961 u8 xon_char, u8 xoff_char, u16 param_mask)
962{
963 struct rfcomm_hdr *hdr;
964 struct rfcomm_mcc *mcc;
965 struct rfcomm_rpn *rpn;
966 u8 buf[16], *ptr = buf;
967
968 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
969 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
970 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
971 flow_ctrl_settings, xon_char, xoff_char, param_mask);
972
973 hdr = (void *) ptr; ptr += sizeof(*hdr);
974 hdr->addr = __addr(s->initiator, 0);
975 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
976 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
977
978 mcc = (void *) ptr; ptr += sizeof(*mcc);
979 mcc->type = __mcc_type(cr, RFCOMM_RPN);
980 mcc->len = __len8(sizeof(*rpn));
981
982 rpn = (void *) ptr; ptr += sizeof(*rpn);
983 rpn->dlci = __addr(1, dlci);
984 rpn->bit_rate = bit_rate;
985 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
986 rpn->flow_ctrl = flow_ctrl_settings;
987 rpn->xon_char = xon_char;
988 rpn->xoff_char = xoff_char;
989 rpn->param_mask = cpu_to_le16(param_mask);
990
991 *ptr = __fcs(buf); ptr++;
992
993 return rfcomm_send_frame(s, buf, ptr - buf);
994}
995
996static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
997{
998 struct rfcomm_hdr *hdr;
999 struct rfcomm_mcc *mcc;
1000 struct rfcomm_rls *rls;
1001 u8 buf[16], *ptr = buf;
1002
1003 BT_DBG("%p cr %d status 0x%x", s, cr, status);
1004
1005 hdr = (void *) ptr; ptr += sizeof(*hdr);
1006 hdr->addr = __addr(s->initiator, 0);
1007 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1008 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
1009
1010 mcc = (void *) ptr; ptr += sizeof(*mcc);
1011 mcc->type = __mcc_type(cr, RFCOMM_RLS);
1012 mcc->len = __len8(sizeof(*rls));
1013
1014 rls = (void *) ptr; ptr += sizeof(*rls);
1015 rls->dlci = __addr(1, dlci);
1016 rls->status = status;
1017
1018 *ptr = __fcs(buf); ptr++;
1019
1020 return rfcomm_send_frame(s, buf, ptr - buf);
1021}
1022
1023static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
1024{
1025 struct rfcomm_hdr *hdr;
1026 struct rfcomm_mcc *mcc;
1027 struct rfcomm_msc *msc;
1028 u8 buf[16], *ptr = buf;
1029
1030 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
1031
1032 hdr = (void *) ptr; ptr += sizeof(*hdr);
1033 hdr->addr = __addr(s->initiator, 0);
1034 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1035 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
1036
1037 mcc = (void *) ptr; ptr += sizeof(*mcc);
1038 mcc->type = __mcc_type(cr, RFCOMM_MSC);
1039 mcc->len = __len8(sizeof(*msc));
1040
1041 msc = (void *) ptr; ptr += sizeof(*msc);
1042 msc->dlci = __addr(1, dlci);
1043 msc->v24_sig = v24_sig | 0x01;
1044
1045 *ptr = __fcs(buf); ptr++;
1046
1047 return rfcomm_send_frame(s, buf, ptr - buf);
1048}
1049
1050static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1051{
1052 struct rfcomm_hdr *hdr;
1053 struct rfcomm_mcc *mcc;
1054 u8 buf[16], *ptr = buf;
1055
1056 BT_DBG("%p cr %d", s, cr);
1057
1058 hdr = (void *) ptr; ptr += sizeof(*hdr);
1059 hdr->addr = __addr(s->initiator, 0);
1060 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1061 hdr->len = __len8(sizeof(*mcc));
1062
1063 mcc = (void *) ptr; ptr += sizeof(*mcc);
1064 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1065 mcc->len = __len8(0);
1066
1067 *ptr = __fcs(buf); ptr++;
1068
1069 return rfcomm_send_frame(s, buf, ptr - buf);
1070}
1071
1072static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1073{
1074 struct rfcomm_hdr *hdr;
1075 struct rfcomm_mcc *mcc;
1076 u8 buf[16], *ptr = buf;
1077
1078 BT_DBG("%p cr %d", s, cr);
1079
1080 hdr = (void *) ptr; ptr += sizeof(*hdr);
1081 hdr->addr = __addr(s->initiator, 0);
1082 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1083 hdr->len = __len8(sizeof(*mcc));
1084
1085 mcc = (void *) ptr; ptr += sizeof(*mcc);
1086 mcc->type = __mcc_type(cr, RFCOMM_FCON);
1087 mcc->len = __len8(0);
1088
1089 *ptr = __fcs(buf); ptr++;
1090
1091 return rfcomm_send_frame(s, buf, ptr - buf);
1092}
1093
1094static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1095{
1096 struct socket *sock = s->sock;
1097 struct kvec iv[3];
1098 struct msghdr msg;
1099 unsigned char hdr[5], crc[1];
1100
1101 if (len > 125)
1102 return -EINVAL;
1103
1104 BT_DBG("%p cr %d", s, cr);
1105
1106 hdr[0] = __addr(s->initiator, 0);
1107 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1108 hdr[2] = 0x01 | ((len + 2) << 1);
1109 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1110 hdr[4] = 0x01 | (len << 1);
1111
1112 crc[0] = __fcs(hdr);
1113
1114 iv[0].iov_base = hdr;
1115 iv[0].iov_len = 5;
1116 iv[1].iov_base = pattern;
1117 iv[1].iov_len = len;
1118 iv[2].iov_base = crc;
1119 iv[2].iov_len = 1;
1120
1121 memset(&msg, 0, sizeof(msg));
1122
1123 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1124}
1125
1126static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1127{
1128 struct rfcomm_hdr *hdr;
1129 u8 buf[16], *ptr = buf;
1130
1131 BT_DBG("%p addr %d credits %d", s, addr, credits);
1132
1133 hdr = (void *) ptr; ptr += sizeof(*hdr);
1134 hdr->addr = addr;
1135 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1136 hdr->len = __len8(0);
1137
1138 *ptr = credits; ptr++;
1139
1140 *ptr = __fcs(buf); ptr++;
1141
1142 return rfcomm_send_frame(s, buf, ptr - buf);
1143}
1144
1145static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1146{
1147 struct rfcomm_hdr *hdr;
1148 int len = skb->len;
1149 u8 *crc;
1150
1151 if (len > 127) {
1152 hdr = (void *) skb_push(skb, 4);
1153 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1154 } else {
1155 hdr = (void *) skb_push(skb, 3);
1156 hdr->len = __len8(len);
1157 }
1158 hdr->addr = addr;
1159 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1160
1161 crc = skb_put(skb, 1);
1162 *crc = __fcs((void *) hdr);
1163}
1164
1165/* ---- RFCOMM frame reception ---- */
1166static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1167{
1168 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1169
1170 if (dlci) {
1171 /* Data channel */
1172 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1173 if (!d) {
1174 rfcomm_send_dm(s, dlci);
1175 return s;
1176 }
1177
1178 switch (d->state) {
1179 case BT_CONNECT:
1180 rfcomm_dlc_clear_timer(d);
1181
1182 rfcomm_dlc_lock(d);
1183 d->state = BT_CONNECTED;
1184 d->state_change(d, 0);
1185 rfcomm_dlc_unlock(d);
1186
1187 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1188 break;
1189
1190 case BT_DISCONN:
1191 d->state = BT_CLOSED;
1192 __rfcomm_dlc_close(d, 0);
1193
1194 if (list_empty(&s->dlcs)) {
1195 s->state = BT_DISCONN;
1196 rfcomm_send_disc(s, 0);
1197 rfcomm_session_clear_timer(s);
1198 }
1199
1200 break;
1201 }
1202 } else {
1203 /* Control channel */
1204 switch (s->state) {
1205 case BT_CONNECT:
1206 s->state = BT_CONNECTED;
1207 rfcomm_process_connect(s);
1208 break;
1209
1210 case BT_DISCONN:
1211 s = rfcomm_session_close(s, ECONNRESET);
1212 break;
1213 }
1214 }
1215 return s;
1216}
1217
1218static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1219{
1220 int err = 0;
1221
1222 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1223
1224 if (dlci) {
1225 /* Data DLC */
1226 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1227 if (d) {
1228 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1229 err = ECONNREFUSED;
1230 else
1231 err = ECONNRESET;
1232
1233 d->state = BT_CLOSED;
1234 __rfcomm_dlc_close(d, err);
1235 }
1236 } else {
1237 if (s->state == BT_CONNECT)
1238 err = ECONNREFUSED;
1239 else
1240 err = ECONNRESET;
1241
1242 s = rfcomm_session_close(s, err);
1243 }
1244 return s;
1245}
1246
1247static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1248 u8 dlci)
1249{
1250 int err = 0;
1251
1252 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1253
1254 if (dlci) {
1255 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1256 if (d) {
1257 rfcomm_send_ua(s, dlci);
1258
1259 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1260 err = ECONNREFUSED;
1261 else
1262 err = ECONNRESET;
1263
1264 d->state = BT_CLOSED;
1265 __rfcomm_dlc_close(d, err);
1266 } else
1267 rfcomm_send_dm(s, dlci);
1268
1269 } else {
1270 rfcomm_send_ua(s, 0);
1271
1272 if (s->state == BT_CONNECT)
1273 err = ECONNREFUSED;
1274 else
1275 err = ECONNRESET;
1276
1277 s = rfcomm_session_close(s, err);
1278 }
1279 return s;
1280}
1281
1282void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1283{
1284 struct sock *sk = d->session->sock->sk;
1285 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1286
1287 BT_DBG("dlc %p", d);
1288
1289 rfcomm_send_ua(d->session, d->dlci);
1290
1291 rfcomm_dlc_clear_timer(d);
1292
1293 rfcomm_dlc_lock(d);
1294 d->state = BT_CONNECTED;
1295 d->state_change(d, 0);
1296 rfcomm_dlc_unlock(d);
1297
1298 if (d->role_switch)
1299 hci_conn_switch_role(conn->hcon, 0x00);
1300
1301 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1302}
1303
1304static void rfcomm_check_accept(struct rfcomm_dlc *d)
1305{
1306 if (rfcomm_check_security(d)) {
1307 if (d->defer_setup) {
1308 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1309 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1310
1311 rfcomm_dlc_lock(d);
1312 d->state = BT_CONNECT2;
1313 d->state_change(d, 0);
1314 rfcomm_dlc_unlock(d);
1315 } else
1316 rfcomm_dlc_accept(d);
1317 } else {
1318 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1319 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1320 }
1321}
1322
1323static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1324{
1325 struct rfcomm_dlc *d;
1326 u8 channel;
1327
1328 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1329
1330 if (!dlci) {
1331 rfcomm_send_ua(s, 0);
1332
1333 if (s->state == BT_OPEN) {
1334 s->state = BT_CONNECTED;
1335 rfcomm_process_connect(s);
1336 }
1337 return 0;
1338 }
1339
1340 /* Check if DLC exists */
1341 d = rfcomm_dlc_get(s, dlci);
1342 if (d) {
1343 if (d->state == BT_OPEN) {
1344 /* DLC was previously opened by PN request */
1345 rfcomm_check_accept(d);
1346 }
1347 return 0;
1348 }
1349
1350 /* Notify socket layer about incoming connection */
1351 channel = __srv_channel(dlci);
1352 if (rfcomm_connect_ind(s, channel, &d)) {
1353 d->dlci = dlci;
1354 d->addr = __addr(s->initiator, dlci);
1355 rfcomm_dlc_link(s, d);
1356
1357 rfcomm_check_accept(d);
1358 } else {
1359 rfcomm_send_dm(s, dlci);
1360 }
1361
1362 return 0;
1363}
1364
1365static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1366{
1367 struct rfcomm_session *s = d->session;
1368
1369 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1370 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1371
1372 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1373 pn->flow_ctrl == 0xe0) {
1374 d->cfc = RFCOMM_CFC_ENABLED;
1375 d->tx_credits = pn->credits;
1376 } else {
1377 d->cfc = RFCOMM_CFC_DISABLED;
1378 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1379 }
1380
1381 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1382 s->cfc = d->cfc;
1383
1384 d->priority = pn->priority;
1385
1386 d->mtu = __le16_to_cpu(pn->mtu);
1387
1388 if (cr && d->mtu > s->mtu)
1389 d->mtu = s->mtu;
1390
1391 return 0;
1392}
1393
1394static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1395{
1396 struct rfcomm_pn *pn = (void *) skb->data;
1397 struct rfcomm_dlc *d;
1398 u8 dlci = pn->dlci;
1399
1400 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1401
1402 if (!dlci)
1403 return 0;
1404
1405 d = rfcomm_dlc_get(s, dlci);
1406 if (d) {
1407 if (cr) {
1408 /* PN request */
1409 rfcomm_apply_pn(d, cr, pn);
1410 rfcomm_send_pn(s, 0, d);
1411 } else {
1412 /* PN response */
1413 switch (d->state) {
1414 case BT_CONFIG:
1415 rfcomm_apply_pn(d, cr, pn);
1416
1417 d->state = BT_CONNECT;
1418 rfcomm_send_sabm(s, d->dlci);
1419 break;
1420 }
1421 }
1422 } else {
1423 u8 channel = __srv_channel(dlci);
1424
1425 if (!cr)
1426 return 0;
1427
1428 /* PN request for non existing DLC.
1429 * Assume incoming connection. */
1430 if (rfcomm_connect_ind(s, channel, &d)) {
1431 d->dlci = dlci;
1432 d->addr = __addr(s->initiator, dlci);
1433 rfcomm_dlc_link(s, d);
1434
1435 rfcomm_apply_pn(d, cr, pn);
1436
1437 d->state = BT_OPEN;
1438 rfcomm_send_pn(s, 0, d);
1439 } else {
1440 rfcomm_send_dm(s, dlci);
1441 }
1442 }
1443 return 0;
1444}
1445
1446static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1447{
1448 struct rfcomm_rpn *rpn = (void *) skb->data;
1449 u8 dlci = __get_dlci(rpn->dlci);
1450
1451 u8 bit_rate = 0;
1452 u8 data_bits = 0;
1453 u8 stop_bits = 0;
1454 u8 parity = 0;
1455 u8 flow_ctrl = 0;
1456 u8 xon_char = 0;
1457 u8 xoff_char = 0;
1458 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1459
1460 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1461 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1462 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1463
1464 if (!cr)
1465 return 0;
1466
1467 if (len == 1) {
1468 /* This is a request, return default (according to ETSI TS 07.10) settings */
1469 bit_rate = RFCOMM_RPN_BR_9600;
1470 data_bits = RFCOMM_RPN_DATA_8;
1471 stop_bits = RFCOMM_RPN_STOP_1;
1472 parity = RFCOMM_RPN_PARITY_NONE;
1473 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1474 xon_char = RFCOMM_RPN_XON_CHAR;
1475 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1476 goto rpn_out;
1477 }
1478
1479 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1480 * no parity, no flow control lines, normal XON/XOFF chars */
1481
1482 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1483 bit_rate = rpn->bit_rate;
1484 if (bit_rate > RFCOMM_RPN_BR_230400) {
1485 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1486 bit_rate = RFCOMM_RPN_BR_9600;
1487 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1488 }
1489 }
1490
1491 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1492 data_bits = __get_rpn_data_bits(rpn->line_settings);
1493 if (data_bits != RFCOMM_RPN_DATA_8) {
1494 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1495 data_bits = RFCOMM_RPN_DATA_8;
1496 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1497 }
1498 }
1499
1500 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1501 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1502 if (stop_bits != RFCOMM_RPN_STOP_1) {
1503 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1504 stop_bits = RFCOMM_RPN_STOP_1;
1505 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1506 }
1507 }
1508
1509 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1510 parity = __get_rpn_parity(rpn->line_settings);
1511 if (parity != RFCOMM_RPN_PARITY_NONE) {
1512 BT_DBG("RPN parity mismatch 0x%x", parity);
1513 parity = RFCOMM_RPN_PARITY_NONE;
1514 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1515 }
1516 }
1517
1518 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1519 flow_ctrl = rpn->flow_ctrl;
1520 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1521 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1522 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1523 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1524 }
1525 }
1526
1527 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1528 xon_char = rpn->xon_char;
1529 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1530 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1531 xon_char = RFCOMM_RPN_XON_CHAR;
1532 rpn_mask ^= RFCOMM_RPN_PM_XON;
1533 }
1534 }
1535
1536 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1537 xoff_char = rpn->xoff_char;
1538 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1539 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1540 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1541 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1542 }
1543 }
1544
1545rpn_out:
1546 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1547 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1548
1549 return 0;
1550}
1551
1552static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1553{
1554 struct rfcomm_rls *rls = (void *) skb->data;
1555 u8 dlci = __get_dlci(rls->dlci);
1556
1557 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1558
1559 if (!cr)
1560 return 0;
1561
1562 /* We should probably do something with this information here. But
1563 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1564 * mandatory to recognise and respond to RLS */
1565
1566 rfcomm_send_rls(s, 0, dlci, rls->status);
1567
1568 return 0;
1569}
1570
1571static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1572{
1573 struct rfcomm_msc *msc = (void *) skb->data;
1574 struct rfcomm_dlc *d;
1575 u8 dlci = __get_dlci(msc->dlci);
1576
1577 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1578
1579 d = rfcomm_dlc_get(s, dlci);
1580 if (!d)
1581 return 0;
1582
1583 if (cr) {
1584 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1585 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1586 else
1587 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1588
1589 rfcomm_dlc_lock(d);
1590
1591 d->remote_v24_sig = msc->v24_sig;
1592
1593 if (d->modem_status)
1594 d->modem_status(d, msc->v24_sig);
1595
1596 rfcomm_dlc_unlock(d);
1597
1598 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1599
1600 d->mscex |= RFCOMM_MSCEX_RX;
1601 } else
1602 d->mscex |= RFCOMM_MSCEX_TX;
1603
1604 return 0;
1605}
1606
1607static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1608{
1609 struct rfcomm_mcc *mcc = (void *) skb->data;
1610 u8 type, cr, len;
1611
1612 cr = __test_cr(mcc->type);
1613 type = __get_mcc_type(mcc->type);
1614 len = __get_mcc_len(mcc->len);
1615
1616 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1617
1618 skb_pull(skb, 2);
1619
1620 switch (type) {
1621 case RFCOMM_PN:
1622 rfcomm_recv_pn(s, cr, skb);
1623 break;
1624
1625 case RFCOMM_RPN:
1626 rfcomm_recv_rpn(s, cr, len, skb);
1627 break;
1628
1629 case RFCOMM_RLS:
1630 rfcomm_recv_rls(s, cr, skb);
1631 break;
1632
1633 case RFCOMM_MSC:
1634 rfcomm_recv_msc(s, cr, skb);
1635 break;
1636
1637 case RFCOMM_FCOFF:
1638 if (cr) {
1639 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1640 rfcomm_send_fcoff(s, 0);
1641 }
1642 break;
1643
1644 case RFCOMM_FCON:
1645 if (cr) {
1646 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1647 rfcomm_send_fcon(s, 0);
1648 }
1649 break;
1650
1651 case RFCOMM_TEST:
1652 if (cr)
1653 rfcomm_send_test(s, 0, skb->data, skb->len);
1654 break;
1655
1656 case RFCOMM_NSC:
1657 break;
1658
1659 default:
1660 BT_ERR("Unknown control type 0x%02x", type);
1661 rfcomm_send_nsc(s, cr, type);
1662 break;
1663 }
1664 return 0;
1665}
1666
1667static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1668{
1669 struct rfcomm_dlc *d;
1670
1671 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1672
1673 d = rfcomm_dlc_get(s, dlci);
1674 if (!d) {
1675 rfcomm_send_dm(s, dlci);
1676 goto drop;
1677 }
1678
1679 if (pf && d->cfc) {
1680 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1681
1682 d->tx_credits += credits;
1683 if (d->tx_credits)
1684 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1685 }
1686
1687 if (skb->len && d->state == BT_CONNECTED) {
1688 rfcomm_dlc_lock(d);
1689 d->rx_credits--;
1690 d->data_ready(d, skb);
1691 rfcomm_dlc_unlock(d);
1692 return 0;
1693 }
1694
1695drop:
1696 kfree_skb(skb);
1697 return 0;
1698}
1699
1700static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1701 struct sk_buff *skb)
1702{
1703 struct rfcomm_hdr *hdr = (void *) skb->data;
1704 u8 type, dlci, fcs;
1705
1706 if (!s) {
1707 /* no session, so free socket data */
1708 kfree_skb(skb);
1709 return s;
1710 }
1711
1712 dlci = __get_dlci(hdr->addr);
1713 type = __get_type(hdr->ctrl);
1714
1715 /* Trim FCS */
1716 skb->len--; skb->tail--;
1717 fcs = *(u8 *)skb_tail_pointer(skb);
1718
1719 if (__check_fcs(skb->data, type, fcs)) {
1720 BT_ERR("bad checksum in packet");
1721 kfree_skb(skb);
1722 return s;
1723 }
1724
1725 if (__test_ea(hdr->len))
1726 skb_pull(skb, 3);
1727 else
1728 skb_pull(skb, 4);
1729
1730 switch (type) {
1731 case RFCOMM_SABM:
1732 if (__test_pf(hdr->ctrl))
1733 rfcomm_recv_sabm(s, dlci);
1734 break;
1735
1736 case RFCOMM_DISC:
1737 if (__test_pf(hdr->ctrl))
1738 s = rfcomm_recv_disc(s, dlci);
1739 break;
1740
1741 case RFCOMM_UA:
1742 if (__test_pf(hdr->ctrl))
1743 s = rfcomm_recv_ua(s, dlci);
1744 break;
1745
1746 case RFCOMM_DM:
1747 s = rfcomm_recv_dm(s, dlci);
1748 break;
1749
1750 case RFCOMM_UIH:
1751 if (dlci) {
1752 rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1753 return s;
1754 }
1755 rfcomm_recv_mcc(s, skb);
1756 break;
1757
1758 default:
1759 BT_ERR("Unknown packet type 0x%02x", type);
1760 break;
1761 }
1762 kfree_skb(skb);
1763 return s;
1764}
1765
1766/* ---- Connection and data processing ---- */
1767
1768static void rfcomm_process_connect(struct rfcomm_session *s)
1769{
1770 struct rfcomm_dlc *d, *n;
1771
1772 BT_DBG("session %p state %ld", s, s->state);
1773
1774 list_for_each_entry_safe(d, n, &s->dlcs, list) {
1775 if (d->state == BT_CONFIG) {
1776 d->mtu = s->mtu;
1777 if (rfcomm_check_security(d)) {
1778 rfcomm_send_pn(s, 1, d);
1779 } else {
1780 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1781 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1782 }
1783 }
1784 }
1785}
1786
1787/* Send data queued for the DLC.
1788 * Return number of frames left in the queue.
1789 */
1790static int rfcomm_process_tx(struct rfcomm_dlc *d)
1791{
1792 struct sk_buff *skb;
1793 int err;
1794
1795 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1796 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1797
1798 /* Send pending MSC */
1799 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1800 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1801
1802 if (d->cfc) {
1803 /* CFC enabled.
1804 * Give them some credits */
1805 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1806 d->rx_credits <= (d->cfc >> 2)) {
1807 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1808 d->rx_credits = d->cfc;
1809 }
1810 } else {
1811 /* CFC disabled.
1812 * Give ourselves some credits */
1813 d->tx_credits = 5;
1814 }
1815
1816 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1817 return skb_queue_len(&d->tx_queue);
1818
1819 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1820 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1821 if (err < 0) {
1822 skb_queue_head(&d->tx_queue, skb);
1823 break;
1824 }
1825 kfree_skb(skb);
1826 d->tx_credits--;
1827 }
1828
1829 if (d->cfc && !d->tx_credits) {
1830 /* We're out of TX credits.
1831 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1832 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1833 }
1834
1835 return skb_queue_len(&d->tx_queue);
1836}
1837
1838static void rfcomm_process_dlcs(struct rfcomm_session *s)
1839{
1840 struct rfcomm_dlc *d, *n;
1841
1842 BT_DBG("session %p state %ld", s, s->state);
1843
1844 list_for_each_entry_safe(d, n, &s->dlcs, list) {
1845 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1846 __rfcomm_dlc_close(d, ETIMEDOUT);
1847 continue;
1848 }
1849
1850 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1851 __rfcomm_dlc_close(d, ECONNREFUSED);
1852 continue;
1853 }
1854
1855 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1856 rfcomm_dlc_clear_timer(d);
1857 if (d->out) {
1858 rfcomm_send_pn(s, 1, d);
1859 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1860 } else {
1861 if (d->defer_setup) {
1862 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1863 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1864
1865 rfcomm_dlc_lock(d);
1866 d->state = BT_CONNECT2;
1867 d->state_change(d, 0);
1868 rfcomm_dlc_unlock(d);
1869 } else
1870 rfcomm_dlc_accept(d);
1871 }
1872 continue;
1873 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1874 rfcomm_dlc_clear_timer(d);
1875 if (!d->out)
1876 rfcomm_send_dm(s, d->dlci);
1877 else
1878 d->state = BT_CLOSED;
1879 __rfcomm_dlc_close(d, ECONNREFUSED);
1880 continue;
1881 }
1882
1883 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1884 continue;
1885
1886 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1887 continue;
1888
1889 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1890 d->mscex == RFCOMM_MSCEX_OK)
1891 rfcomm_process_tx(d);
1892 }
1893}
1894
1895static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1896{
1897 struct socket *sock = s->sock;
1898 struct sock *sk = sock->sk;
1899 struct sk_buff *skb;
1900
1901 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1902
1903 /* Get data directly from socket receive queue without copying it. */
1904 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1905 skb_orphan(skb);
1906 if (!skb_linearize(skb)) {
1907 s = rfcomm_recv_frame(s, skb);
1908 if (!s)
1909 break;
1910 } else {
1911 kfree_skb(skb);
1912 }
1913 }
1914
1915 if (s && (sk->sk_state == BT_CLOSED))
1916 s = rfcomm_session_close(s, sk->sk_err);
1917
1918 return s;
1919}
1920
1921static void rfcomm_accept_connection(struct rfcomm_session *s)
1922{
1923 struct socket *sock = s->sock, *nsock;
1924 int err;
1925
1926 /* Fast check for a new connection.
1927 * Avoids unnesesary socket allocations. */
1928 if (list_empty(&bt_sk(sock->sk)->accept_q))
1929 return;
1930
1931 BT_DBG("session %p", s);
1932
1933 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1934 if (err < 0)
1935 return;
1936
1937 /* Set our callbacks */
1938 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1939 nsock->sk->sk_state_change = rfcomm_l2state_change;
1940
1941 s = rfcomm_session_add(nsock, BT_OPEN);
1942 if (s) {
1943 /* We should adjust MTU on incoming sessions.
1944 * L2CAP MTU minus UIH header and FCS. */
1945 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1946 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1947
1948 rfcomm_schedule();
1949 } else
1950 sock_release(nsock);
1951}
1952
1953static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1954{
1955 struct sock *sk = s->sock->sk;
1956
1957 BT_DBG("%p state %ld", s, s->state);
1958
1959 switch (sk->sk_state) {
1960 case BT_CONNECTED:
1961 s->state = BT_CONNECT;
1962
1963 /* We can adjust MTU on outgoing sessions.
1964 * L2CAP MTU minus UIH header and FCS. */
1965 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1966
1967 rfcomm_send_sabm(s, 0);
1968 break;
1969
1970 case BT_CLOSED:
1971 s = rfcomm_session_close(s, sk->sk_err);
1972 break;
1973 }
1974 return s;
1975}
1976
1977static void rfcomm_process_sessions(void)
1978{
1979 struct rfcomm_session *s, *n;
1980
1981 rfcomm_lock();
1982
1983 list_for_each_entry_safe(s, n, &session_list, list) {
1984 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1985 s->state = BT_DISCONN;
1986 rfcomm_send_disc(s, 0);
1987 continue;
1988 }
1989
1990 switch (s->state) {
1991 case BT_LISTEN:
1992 rfcomm_accept_connection(s);
1993 continue;
1994
1995 case BT_BOUND:
1996 s = rfcomm_check_connection(s);
1997 break;
1998
1999 default:
2000 s = rfcomm_process_rx(s);
2001 break;
2002 }
2003
2004 if (s)
2005 rfcomm_process_dlcs(s);
2006 }
2007
2008 rfcomm_unlock();
2009}
2010
2011static int rfcomm_add_listener(bdaddr_t *ba)
2012{
2013 struct sockaddr_l2 addr;
2014 struct socket *sock;
2015 struct sock *sk;
2016 struct rfcomm_session *s;
2017 int err = 0;
2018
2019 /* Create socket */
2020 err = rfcomm_l2sock_create(&sock);
2021 if (err < 0) {
2022 BT_ERR("Create socket failed %d", err);
2023 return err;
2024 }
2025
2026 /* Bind socket */
2027 bacpy(&addr.l2_bdaddr, ba);
2028 addr.l2_family = AF_BLUETOOTH;
2029 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM);
2030 addr.l2_cid = 0;
2031 addr.l2_bdaddr_type = BDADDR_BREDR;
2032 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2033 if (err < 0) {
2034 BT_ERR("Bind failed %d", err);
2035 goto failed;
2036 }
2037
2038 /* Set L2CAP options */
2039 sk = sock->sk;
2040 lock_sock(sk);
2041 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2042 release_sock(sk);
2043
2044 /* Start listening on the socket */
2045 err = kernel_listen(sock, 10);
2046 if (err) {
2047 BT_ERR("Listen failed %d", err);
2048 goto failed;
2049 }
2050
2051 /* Add listening session */
2052 s = rfcomm_session_add(sock, BT_LISTEN);
2053 if (!s) {
2054 err = -ENOMEM;
2055 goto failed;
2056 }
2057
2058 return 0;
2059failed:
2060 sock_release(sock);
2061 return err;
2062}
2063
2064static void rfcomm_kill_listener(void)
2065{
2066 struct rfcomm_session *s, *n;
2067
2068 BT_DBG("");
2069
2070 list_for_each_entry_safe(s, n, &session_list, list)
2071 rfcomm_session_del(s);
2072}
2073
2074static int rfcomm_run(void *unused)
2075{
2076 DEFINE_WAIT_FUNC(wait, woken_wake_function);
2077 BT_DBG("");
2078
2079 set_user_nice(current, -10);
2080
2081 rfcomm_add_listener(BDADDR_ANY);
2082
2083 add_wait_queue(&rfcomm_wq, &wait);
2084 while (!kthread_should_stop()) {
2085
2086 /* Process stuff */
2087 rfcomm_process_sessions();
2088
2089 wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
2090 }
2091 remove_wait_queue(&rfcomm_wq, &wait);
2092
2093 rfcomm_kill_listener();
2094
2095 return 0;
2096}
2097
2098static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2099{
2100 struct rfcomm_session *s;
2101 struct rfcomm_dlc *d, *n;
2102
2103 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2104
2105 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2106 if (!s)
2107 return;
2108
2109 list_for_each_entry_safe(d, n, &s->dlcs, list) {
2110 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2111 rfcomm_dlc_clear_timer(d);
2112 if (status || encrypt == 0x00) {
2113 set_bit(RFCOMM_ENC_DROP, &d->flags);
2114 continue;
2115 }
2116 }
2117
2118 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2119 if (d->sec_level == BT_SECURITY_MEDIUM) {
2120 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2121 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2122 continue;
2123 } else if (d->sec_level == BT_SECURITY_HIGH ||
2124 d->sec_level == BT_SECURITY_FIPS) {
2125 set_bit(RFCOMM_ENC_DROP, &d->flags);
2126 continue;
2127 }
2128 }
2129
2130 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2131 continue;
2132
2133 if (!status && hci_conn_check_secure(conn, d->sec_level))
2134 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2135 else
2136 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2137 }
2138
2139 rfcomm_schedule();
2140}
2141
2142static struct hci_cb rfcomm_cb = {
2143 .name = "RFCOMM",
2144 .security_cfm = rfcomm_security_cfm
2145};
2146
2147static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2148{
2149 struct rfcomm_session *s;
2150
2151 rfcomm_lock();
2152
2153 list_for_each_entry(s, &session_list, list) {
2154 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
2155 struct rfcomm_dlc *d;
2156 list_for_each_entry(d, &s->dlcs, list) {
2157 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2158 &chan->src, &chan->dst,
2159 d->state, d->dlci, d->mtu,
2160 d->rx_credits, d->tx_credits);
2161 }
2162 }
2163
2164 rfcomm_unlock();
2165
2166 return 0;
2167}
2168
2169static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2170{
2171 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2172}
2173
2174static const struct file_operations rfcomm_dlc_debugfs_fops = {
2175 .open = rfcomm_dlc_debugfs_open,
2176 .read = seq_read,
2177 .llseek = seq_lseek,
2178 .release = single_release,
2179};
2180
2181static struct dentry *rfcomm_dlc_debugfs;
2182
2183/* ---- Initialization ---- */
2184static int __init rfcomm_init(void)
2185{
2186 int err;
2187
2188 hci_register_cb(&rfcomm_cb);
2189
2190 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2191 if (IS_ERR(rfcomm_thread)) {
2192 err = PTR_ERR(rfcomm_thread);
2193 goto unregister;
2194 }
2195
2196 err = rfcomm_init_ttys();
2197 if (err < 0)
2198 goto stop;
2199
2200 err = rfcomm_init_sockets();
2201 if (err < 0)
2202 goto cleanup;
2203
2204 BT_INFO("RFCOMM ver %s", VERSION);
2205
2206 if (IS_ERR_OR_NULL(bt_debugfs))
2207 return 0;
2208
2209 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2210 bt_debugfs, NULL,
2211 &rfcomm_dlc_debugfs_fops);
2212
2213 return 0;
2214
2215cleanup:
2216 rfcomm_cleanup_ttys();
2217
2218stop:
2219 kthread_stop(rfcomm_thread);
2220
2221unregister:
2222 hci_unregister_cb(&rfcomm_cb);
2223
2224 return err;
2225}
2226
2227static void __exit rfcomm_exit(void)
2228{
2229 debugfs_remove(rfcomm_dlc_debugfs);
2230
2231 hci_unregister_cb(&rfcomm_cb);
2232
2233 kthread_stop(rfcomm_thread);
2234
2235 rfcomm_cleanup_ttys();
2236
2237 rfcomm_cleanup_sockets();
2238}
2239
2240module_init(rfcomm_init);
2241module_exit(rfcomm_exit);
2242
2243module_param(disable_cfc, bool, 0644);
2244MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2245
2246module_param(channel_mtu, int, 0644);
2247MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2248
2249module_param(l2cap_mtu, uint, 0644);
2250MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2251
2252module_param(l2cap_ertm, bool, 0644);
2253MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2254
2255MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2256MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2257MODULE_VERSION(VERSION);
2258MODULE_LICENSE("GPL");
2259MODULE_ALIAS("bt-proto-3");
1/*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22*/
23
24/*
25 * Bluetooth RFCOMM core.
26 */
27
28#include <linux/module.h>
29#include <linux/errno.h>
30#include <linux/kernel.h>
31#include <linux/sched.h>
32#include <linux/signal.h>
33#include <linux/init.h>
34#include <linux/wait.h>
35#include <linux/device.h>
36#include <linux/debugfs.h>
37#include <linux/seq_file.h>
38#include <linux/net.h>
39#include <linux/mutex.h>
40#include <linux/kthread.h>
41#include <linux/slab.h>
42
43#include <net/sock.h>
44#include <linux/uaccess.h>
45#include <asm/unaligned.h>
46
47#include <net/bluetooth/bluetooth.h>
48#include <net/bluetooth/hci_core.h>
49#include <net/bluetooth/l2cap.h>
50#include <net/bluetooth/rfcomm.h>
51
52#define VERSION "1.11"
53
54static bool disable_cfc;
55static bool l2cap_ertm;
56static int channel_mtu = -1;
57static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
58
59static struct task_struct *rfcomm_thread;
60
61static DEFINE_MUTEX(rfcomm_mutex);
62#define rfcomm_lock() mutex_lock(&rfcomm_mutex)
63#define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
64
65
66static LIST_HEAD(session_list);
67
68static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
69static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
70static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
71static int rfcomm_queue_disc(struct rfcomm_dlc *d);
72static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
73static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
74static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
75static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
76static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
77static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
78
79static void rfcomm_process_connect(struct rfcomm_session *s);
80
81static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
82 bdaddr_t *dst,
83 u8 sec_level,
84 int *err);
85static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
86static void rfcomm_session_del(struct rfcomm_session *s);
87
88/* ---- RFCOMM frame parsing macros ---- */
89#define __get_dlci(b) ((b & 0xfc) >> 2)
90#define __get_channel(b) ((b & 0xf8) >> 3)
91#define __get_dir(b) ((b & 0x04) >> 2)
92#define __get_type(b) ((b & 0xef))
93
94#define __test_ea(b) ((b & 0x01))
95#define __test_cr(b) ((b & 0x02))
96#define __test_pf(b) ((b & 0x10))
97
98#define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
99#define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
100#define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
101#define __srv_channel(dlci) (dlci >> 1)
102#define __dir(dlci) (dlci & 0x01)
103
104#define __len8(len) (((len) << 1) | 1)
105#define __len16(len) ((len) << 1)
106
107/* MCC macros */
108#define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
109#define __get_mcc_type(b) ((b & 0xfc) >> 2)
110#define __get_mcc_len(b) ((b & 0xfe) >> 1)
111
112/* RPN macros */
113#define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
114#define __get_rpn_data_bits(line) ((line) & 0x3)
115#define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
116#define __get_rpn_parity(line) (((line) >> 3) & 0x7)
117
118static inline void rfcomm_schedule(void)
119{
120 if (!rfcomm_thread)
121 return;
122 wake_up_process(rfcomm_thread);
123}
124
125static inline void rfcomm_session_put(struct rfcomm_session *s)
126{
127 if (atomic_dec_and_test(&s->refcnt))
128 rfcomm_session_del(s);
129}
130
131/* ---- RFCOMM FCS computation ---- */
132
133/* reversed, 8-bit, poly=0x07 */
134static unsigned char rfcomm_crc_table[256] = {
135 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
136 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
137 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
138 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
139
140 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
141 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
142 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
143 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
144
145 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
146 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
147 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
148 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
149
150 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
151 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
152 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
153 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
154
155 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
156 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
157 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
158 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
159
160 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
161 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
162 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
163 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
164
165 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
166 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
167 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
168 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
169
170 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
171 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
172 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
173 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
174};
175
176/* CRC on 2 bytes */
177#define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
178
179/* FCS on 2 bytes */
180static inline u8 __fcs(u8 *data)
181{
182 return 0xff - __crc(data);
183}
184
185/* FCS on 3 bytes */
186static inline u8 __fcs2(u8 *data)
187{
188 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
189}
190
191/* Check FCS */
192static inline int __check_fcs(u8 *data, int type, u8 fcs)
193{
194 u8 f = __crc(data);
195
196 if (type != RFCOMM_UIH)
197 f = rfcomm_crc_table[f ^ data[2]];
198
199 return rfcomm_crc_table[f ^ fcs] != 0xcf;
200}
201
202/* ---- L2CAP callbacks ---- */
203static void rfcomm_l2state_change(struct sock *sk)
204{
205 BT_DBG("%p state %d", sk, sk->sk_state);
206 rfcomm_schedule();
207}
208
209static void rfcomm_l2data_ready(struct sock *sk, int bytes)
210{
211 BT_DBG("%p bytes %d", sk, bytes);
212 rfcomm_schedule();
213}
214
215static int rfcomm_l2sock_create(struct socket **sock)
216{
217 int err;
218
219 BT_DBG("");
220
221 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
222 if (!err) {
223 struct sock *sk = (*sock)->sk;
224 sk->sk_data_ready = rfcomm_l2data_ready;
225 sk->sk_state_change = rfcomm_l2state_change;
226 }
227 return err;
228}
229
230static inline int rfcomm_check_security(struct rfcomm_dlc *d)
231{
232 struct sock *sk = d->session->sock->sk;
233 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
234
235 __u8 auth_type;
236
237 switch (d->sec_level) {
238 case BT_SECURITY_HIGH:
239 auth_type = HCI_AT_GENERAL_BONDING_MITM;
240 break;
241 case BT_SECURITY_MEDIUM:
242 auth_type = HCI_AT_GENERAL_BONDING;
243 break;
244 default:
245 auth_type = HCI_AT_NO_BONDING;
246 break;
247 }
248
249 return hci_conn_security(conn->hcon, d->sec_level, auth_type);
250}
251
252static void rfcomm_session_timeout(unsigned long arg)
253{
254 struct rfcomm_session *s = (void *) arg;
255
256 BT_DBG("session %p state %ld", s, s->state);
257
258 set_bit(RFCOMM_TIMED_OUT, &s->flags);
259 rfcomm_schedule();
260}
261
262static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
263{
264 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
265
266 if (!mod_timer(&s->timer, jiffies + timeout))
267 rfcomm_session_hold(s);
268}
269
270static void rfcomm_session_clear_timer(struct rfcomm_session *s)
271{
272 BT_DBG("session %p state %ld", s, s->state);
273
274 if (timer_pending(&s->timer) && del_timer(&s->timer))
275 rfcomm_session_put(s);
276}
277
278/* ---- RFCOMM DLCs ---- */
279static void rfcomm_dlc_timeout(unsigned long arg)
280{
281 struct rfcomm_dlc *d = (void *) arg;
282
283 BT_DBG("dlc %p state %ld", d, d->state);
284
285 set_bit(RFCOMM_TIMED_OUT, &d->flags);
286 rfcomm_dlc_put(d);
287 rfcomm_schedule();
288}
289
290static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
291{
292 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
293
294 if (!mod_timer(&d->timer, jiffies + timeout))
295 rfcomm_dlc_hold(d);
296}
297
298static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
299{
300 BT_DBG("dlc %p state %ld", d, d->state);
301
302 if (timer_pending(&d->timer) && del_timer(&d->timer))
303 rfcomm_dlc_put(d);
304}
305
306static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
307{
308 BT_DBG("%p", d);
309
310 d->state = BT_OPEN;
311 d->flags = 0;
312 d->mscex = 0;
313 d->sec_level = BT_SECURITY_LOW;
314 d->mtu = RFCOMM_DEFAULT_MTU;
315 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
316
317 d->cfc = RFCOMM_CFC_DISABLED;
318 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
319}
320
321struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
322{
323 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
324
325 if (!d)
326 return NULL;
327
328 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
329
330 skb_queue_head_init(&d->tx_queue);
331 spin_lock_init(&d->lock);
332 atomic_set(&d->refcnt, 1);
333
334 rfcomm_dlc_clear_state(d);
335
336 BT_DBG("%p", d);
337
338 return d;
339}
340
341void rfcomm_dlc_free(struct rfcomm_dlc *d)
342{
343 BT_DBG("%p", d);
344
345 skb_queue_purge(&d->tx_queue);
346 kfree(d);
347}
348
349static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
350{
351 BT_DBG("dlc %p session %p", d, s);
352
353 rfcomm_session_hold(s);
354
355 rfcomm_session_clear_timer(s);
356 rfcomm_dlc_hold(d);
357 list_add(&d->list, &s->dlcs);
358 d->session = s;
359}
360
361static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
362{
363 struct rfcomm_session *s = d->session;
364
365 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
366
367 list_del(&d->list);
368 d->session = NULL;
369 rfcomm_dlc_put(d);
370
371 if (list_empty(&s->dlcs))
372 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
373
374 rfcomm_session_put(s);
375}
376
377static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
378{
379 struct rfcomm_dlc *d;
380
381 list_for_each_entry(d, &s->dlcs, list)
382 if (d->dlci == dlci)
383 return d;
384
385 return NULL;
386}
387
388static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
389{
390 struct rfcomm_session *s;
391 int err = 0;
392 u8 dlci;
393
394 BT_DBG("dlc %p state %ld %s %s channel %d",
395 d, d->state, batostr(src), batostr(dst), channel);
396
397 if (channel < 1 || channel > 30)
398 return -EINVAL;
399
400 if (d->state != BT_OPEN && d->state != BT_CLOSED)
401 return 0;
402
403 s = rfcomm_session_get(src, dst);
404 if (!s) {
405 s = rfcomm_session_create(src, dst, d->sec_level, &err);
406 if (!s)
407 return err;
408 }
409
410 dlci = __dlci(!s->initiator, channel);
411
412 /* Check if DLCI already exists */
413 if (rfcomm_dlc_get(s, dlci))
414 return -EBUSY;
415
416 rfcomm_dlc_clear_state(d);
417
418 d->dlci = dlci;
419 d->addr = __addr(s->initiator, dlci);
420 d->priority = 7;
421
422 d->state = BT_CONFIG;
423 rfcomm_dlc_link(s, d);
424
425 d->out = 1;
426
427 d->mtu = s->mtu;
428 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
429
430 if (s->state == BT_CONNECTED) {
431 if (rfcomm_check_security(d))
432 rfcomm_send_pn(s, 1, d);
433 else
434 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
435 }
436
437 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
438
439 return 0;
440}
441
442int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
443{
444 int r;
445
446 rfcomm_lock();
447
448 r = __rfcomm_dlc_open(d, src, dst, channel);
449
450 rfcomm_unlock();
451 return r;
452}
453
454static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
455{
456 struct rfcomm_session *s = d->session;
457 if (!s)
458 return 0;
459
460 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
461 d, d->state, d->dlci, err, s);
462
463 switch (d->state) {
464 case BT_CONNECT:
465 case BT_CONFIG:
466 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
467 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
468 rfcomm_schedule();
469 break;
470 }
471 /* Fall through */
472
473 case BT_CONNECTED:
474 d->state = BT_DISCONN;
475 if (skb_queue_empty(&d->tx_queue)) {
476 rfcomm_send_disc(s, d->dlci);
477 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
478 } else {
479 rfcomm_queue_disc(d);
480 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
481 }
482 break;
483
484 case BT_OPEN:
485 case BT_CONNECT2:
486 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
487 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
488 rfcomm_schedule();
489 break;
490 }
491 /* Fall through */
492
493 default:
494 rfcomm_dlc_clear_timer(d);
495
496 rfcomm_dlc_lock(d);
497 d->state = BT_CLOSED;
498 d->state_change(d, err);
499 rfcomm_dlc_unlock(d);
500
501 skb_queue_purge(&d->tx_queue);
502 rfcomm_dlc_unlink(d);
503 }
504
505 return 0;
506}
507
508int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
509{
510 int r;
511
512 rfcomm_lock();
513
514 r = __rfcomm_dlc_close(d, err);
515
516 rfcomm_unlock();
517 return r;
518}
519
520int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
521{
522 int len = skb->len;
523
524 if (d->state != BT_CONNECTED)
525 return -ENOTCONN;
526
527 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
528
529 if (len > d->mtu)
530 return -EINVAL;
531
532 rfcomm_make_uih(skb, d->addr);
533 skb_queue_tail(&d->tx_queue, skb);
534
535 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
536 rfcomm_schedule();
537 return len;
538}
539
540void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
541{
542 BT_DBG("dlc %p state %ld", d, d->state);
543
544 if (!d->cfc) {
545 d->v24_sig |= RFCOMM_V24_FC;
546 set_bit(RFCOMM_MSC_PENDING, &d->flags);
547 }
548 rfcomm_schedule();
549}
550
551void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
552{
553 BT_DBG("dlc %p state %ld", d, d->state);
554
555 if (!d->cfc) {
556 d->v24_sig &= ~RFCOMM_V24_FC;
557 set_bit(RFCOMM_MSC_PENDING, &d->flags);
558 }
559 rfcomm_schedule();
560}
561
562/*
563 Set/get modem status functions use _local_ status i.e. what we report
564 to the other side.
565 Remote status is provided by dlc->modem_status() callback.
566 */
567int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
568{
569 BT_DBG("dlc %p state %ld v24_sig 0x%x",
570 d, d->state, v24_sig);
571
572 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
573 v24_sig |= RFCOMM_V24_FC;
574 else
575 v24_sig &= ~RFCOMM_V24_FC;
576
577 d->v24_sig = v24_sig;
578
579 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
580 rfcomm_schedule();
581
582 return 0;
583}
584
585int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
586{
587 BT_DBG("dlc %p state %ld v24_sig 0x%x",
588 d, d->state, d->v24_sig);
589
590 *v24_sig = d->v24_sig;
591 return 0;
592}
593
594/* ---- RFCOMM sessions ---- */
595static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
596{
597 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
598
599 if (!s)
600 return NULL;
601
602 BT_DBG("session %p sock %p", s, sock);
603
604 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
605
606 INIT_LIST_HEAD(&s->dlcs);
607 s->state = state;
608 s->sock = sock;
609
610 s->mtu = RFCOMM_DEFAULT_MTU;
611 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
612
613 /* Do not increment module usage count for listening sessions.
614 * Otherwise we won't be able to unload the module. */
615 if (state != BT_LISTEN)
616 if (!try_module_get(THIS_MODULE)) {
617 kfree(s);
618 return NULL;
619 }
620
621 list_add(&s->list, &session_list);
622
623 return s;
624}
625
626static void rfcomm_session_del(struct rfcomm_session *s)
627{
628 int state = s->state;
629
630 BT_DBG("session %p state %ld", s, s->state);
631
632 list_del(&s->list);
633
634 if (state == BT_CONNECTED)
635 rfcomm_send_disc(s, 0);
636
637 rfcomm_session_clear_timer(s);
638 sock_release(s->sock);
639 kfree(s);
640
641 if (state != BT_LISTEN)
642 module_put(THIS_MODULE);
643}
644
645static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
646{
647 struct rfcomm_session *s;
648 struct list_head *p, *n;
649 struct bt_sock *sk;
650 list_for_each_safe(p, n, &session_list) {
651 s = list_entry(p, struct rfcomm_session, list);
652 sk = bt_sk(s->sock->sk);
653
654 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
655 !bacmp(&sk->dst, dst))
656 return s;
657 }
658 return NULL;
659}
660
661static void rfcomm_session_close(struct rfcomm_session *s, int err)
662{
663 struct rfcomm_dlc *d;
664 struct list_head *p, *n;
665
666 BT_DBG("session %p state %ld err %d", s, s->state, err);
667
668 rfcomm_session_hold(s);
669
670 s->state = BT_CLOSED;
671
672 /* Close all dlcs */
673 list_for_each_safe(p, n, &s->dlcs) {
674 d = list_entry(p, struct rfcomm_dlc, list);
675 d->state = BT_CLOSED;
676 __rfcomm_dlc_close(d, err);
677 }
678
679 rfcomm_session_clear_timer(s);
680 rfcomm_session_put(s);
681}
682
683static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
684 bdaddr_t *dst,
685 u8 sec_level,
686 int *err)
687{
688 struct rfcomm_session *s = NULL;
689 struct sockaddr_l2 addr;
690 struct socket *sock;
691 struct sock *sk;
692
693 BT_DBG("%s %s", batostr(src), batostr(dst));
694
695 *err = rfcomm_l2sock_create(&sock);
696 if (*err < 0)
697 return NULL;
698
699 bacpy(&addr.l2_bdaddr, src);
700 addr.l2_family = AF_BLUETOOTH;
701 addr.l2_psm = 0;
702 addr.l2_cid = 0;
703 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
704 if (*err < 0)
705 goto failed;
706
707 /* Set L2CAP options */
708 sk = sock->sk;
709 lock_sock(sk);
710 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
711 l2cap_pi(sk)->chan->sec_level = sec_level;
712 if (l2cap_ertm)
713 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
714 release_sock(sk);
715
716 s = rfcomm_session_add(sock, BT_BOUND);
717 if (!s) {
718 *err = -ENOMEM;
719 goto failed;
720 }
721
722 s->initiator = 1;
723
724 bacpy(&addr.l2_bdaddr, dst);
725 addr.l2_family = AF_BLUETOOTH;
726 addr.l2_psm = cpu_to_le16(RFCOMM_PSM);
727 addr.l2_cid = 0;
728 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
729 if (*err == 0 || *err == -EINPROGRESS)
730 return s;
731
732 rfcomm_session_del(s);
733 return NULL;
734
735failed:
736 sock_release(sock);
737 return NULL;
738}
739
740void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
741{
742 struct sock *sk = s->sock->sk;
743 if (src)
744 bacpy(src, &bt_sk(sk)->src);
745 if (dst)
746 bacpy(dst, &bt_sk(sk)->dst);
747}
748
749/* ---- RFCOMM frame sending ---- */
750static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
751{
752 struct kvec iv = { data, len };
753 struct msghdr msg;
754
755 BT_DBG("session %p len %d", s, len);
756
757 memset(&msg, 0, sizeof(msg));
758
759 return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
760}
761
762static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
763{
764 BT_DBG("%p cmd %u", s, cmd->ctrl);
765
766 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
767}
768
769static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
770{
771 struct rfcomm_cmd cmd;
772
773 BT_DBG("%p dlci %d", s, dlci);
774
775 cmd.addr = __addr(s->initiator, dlci);
776 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
777 cmd.len = __len8(0);
778 cmd.fcs = __fcs2((u8 *) &cmd);
779
780 return rfcomm_send_cmd(s, &cmd);
781}
782
783static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
784{
785 struct rfcomm_cmd cmd;
786
787 BT_DBG("%p dlci %d", s, dlci);
788
789 cmd.addr = __addr(!s->initiator, dlci);
790 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
791 cmd.len = __len8(0);
792 cmd.fcs = __fcs2((u8 *) &cmd);
793
794 return rfcomm_send_cmd(s, &cmd);
795}
796
797static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
798{
799 struct rfcomm_cmd cmd;
800
801 BT_DBG("%p dlci %d", s, dlci);
802
803 cmd.addr = __addr(s->initiator, dlci);
804 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
805 cmd.len = __len8(0);
806 cmd.fcs = __fcs2((u8 *) &cmd);
807
808 return rfcomm_send_cmd(s, &cmd);
809}
810
811static int rfcomm_queue_disc(struct rfcomm_dlc *d)
812{
813 struct rfcomm_cmd *cmd;
814 struct sk_buff *skb;
815
816 BT_DBG("dlc %p dlci %d", d, d->dlci);
817
818 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
819 if (!skb)
820 return -ENOMEM;
821
822 cmd = (void *) __skb_put(skb, sizeof(*cmd));
823 cmd->addr = d->addr;
824 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
825 cmd->len = __len8(0);
826 cmd->fcs = __fcs2((u8 *) cmd);
827
828 skb_queue_tail(&d->tx_queue, skb);
829 rfcomm_schedule();
830 return 0;
831}
832
833static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
834{
835 struct rfcomm_cmd cmd;
836
837 BT_DBG("%p dlci %d", s, dlci);
838
839 cmd.addr = __addr(!s->initiator, dlci);
840 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
841 cmd.len = __len8(0);
842 cmd.fcs = __fcs2((u8 *) &cmd);
843
844 return rfcomm_send_cmd(s, &cmd);
845}
846
847static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
848{
849 struct rfcomm_hdr *hdr;
850 struct rfcomm_mcc *mcc;
851 u8 buf[16], *ptr = buf;
852
853 BT_DBG("%p cr %d type %d", s, cr, type);
854
855 hdr = (void *) ptr; ptr += sizeof(*hdr);
856 hdr->addr = __addr(s->initiator, 0);
857 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
858 hdr->len = __len8(sizeof(*mcc) + 1);
859
860 mcc = (void *) ptr; ptr += sizeof(*mcc);
861 mcc->type = __mcc_type(cr, RFCOMM_NSC);
862 mcc->len = __len8(1);
863
864 /* Type that we didn't like */
865 *ptr = __mcc_type(cr, type); ptr++;
866
867 *ptr = __fcs(buf); ptr++;
868
869 return rfcomm_send_frame(s, buf, ptr - buf);
870}
871
872static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
873{
874 struct rfcomm_hdr *hdr;
875 struct rfcomm_mcc *mcc;
876 struct rfcomm_pn *pn;
877 u8 buf[16], *ptr = buf;
878
879 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
880
881 hdr = (void *) ptr; ptr += sizeof(*hdr);
882 hdr->addr = __addr(s->initiator, 0);
883 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
884 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
885
886 mcc = (void *) ptr; ptr += sizeof(*mcc);
887 mcc->type = __mcc_type(cr, RFCOMM_PN);
888 mcc->len = __len8(sizeof(*pn));
889
890 pn = (void *) ptr; ptr += sizeof(*pn);
891 pn->dlci = d->dlci;
892 pn->priority = d->priority;
893 pn->ack_timer = 0;
894 pn->max_retrans = 0;
895
896 if (s->cfc) {
897 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
898 pn->credits = RFCOMM_DEFAULT_CREDITS;
899 } else {
900 pn->flow_ctrl = 0;
901 pn->credits = 0;
902 }
903
904 if (cr && channel_mtu >= 0)
905 pn->mtu = cpu_to_le16(channel_mtu);
906 else
907 pn->mtu = cpu_to_le16(d->mtu);
908
909 *ptr = __fcs(buf); ptr++;
910
911 return rfcomm_send_frame(s, buf, ptr - buf);
912}
913
914int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
915 u8 bit_rate, u8 data_bits, u8 stop_bits,
916 u8 parity, u8 flow_ctrl_settings,
917 u8 xon_char, u8 xoff_char, u16 param_mask)
918{
919 struct rfcomm_hdr *hdr;
920 struct rfcomm_mcc *mcc;
921 struct rfcomm_rpn *rpn;
922 u8 buf[16], *ptr = buf;
923
924 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
925 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
926 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
927 flow_ctrl_settings, xon_char, xoff_char, param_mask);
928
929 hdr = (void *) ptr; ptr += sizeof(*hdr);
930 hdr->addr = __addr(s->initiator, 0);
931 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
932 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
933
934 mcc = (void *) ptr; ptr += sizeof(*mcc);
935 mcc->type = __mcc_type(cr, RFCOMM_RPN);
936 mcc->len = __len8(sizeof(*rpn));
937
938 rpn = (void *) ptr; ptr += sizeof(*rpn);
939 rpn->dlci = __addr(1, dlci);
940 rpn->bit_rate = bit_rate;
941 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
942 rpn->flow_ctrl = flow_ctrl_settings;
943 rpn->xon_char = xon_char;
944 rpn->xoff_char = xoff_char;
945 rpn->param_mask = cpu_to_le16(param_mask);
946
947 *ptr = __fcs(buf); ptr++;
948
949 return rfcomm_send_frame(s, buf, ptr - buf);
950}
951
952static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
953{
954 struct rfcomm_hdr *hdr;
955 struct rfcomm_mcc *mcc;
956 struct rfcomm_rls *rls;
957 u8 buf[16], *ptr = buf;
958
959 BT_DBG("%p cr %d status 0x%x", s, cr, status);
960
961 hdr = (void *) ptr; ptr += sizeof(*hdr);
962 hdr->addr = __addr(s->initiator, 0);
963 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
964 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
965
966 mcc = (void *) ptr; ptr += sizeof(*mcc);
967 mcc->type = __mcc_type(cr, RFCOMM_RLS);
968 mcc->len = __len8(sizeof(*rls));
969
970 rls = (void *) ptr; ptr += sizeof(*rls);
971 rls->dlci = __addr(1, dlci);
972 rls->status = status;
973
974 *ptr = __fcs(buf); ptr++;
975
976 return rfcomm_send_frame(s, buf, ptr - buf);
977}
978
979static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
980{
981 struct rfcomm_hdr *hdr;
982 struct rfcomm_mcc *mcc;
983 struct rfcomm_msc *msc;
984 u8 buf[16], *ptr = buf;
985
986 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
987
988 hdr = (void *) ptr; ptr += sizeof(*hdr);
989 hdr->addr = __addr(s->initiator, 0);
990 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
991 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
992
993 mcc = (void *) ptr; ptr += sizeof(*mcc);
994 mcc->type = __mcc_type(cr, RFCOMM_MSC);
995 mcc->len = __len8(sizeof(*msc));
996
997 msc = (void *) ptr; ptr += sizeof(*msc);
998 msc->dlci = __addr(1, dlci);
999 msc->v24_sig = v24_sig | 0x01;
1000
1001 *ptr = __fcs(buf); ptr++;
1002
1003 return rfcomm_send_frame(s, buf, ptr - buf);
1004}
1005
1006static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1007{
1008 struct rfcomm_hdr *hdr;
1009 struct rfcomm_mcc *mcc;
1010 u8 buf[16], *ptr = buf;
1011
1012 BT_DBG("%p cr %d", s, cr);
1013
1014 hdr = (void *) ptr; ptr += sizeof(*hdr);
1015 hdr->addr = __addr(s->initiator, 0);
1016 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1017 hdr->len = __len8(sizeof(*mcc));
1018
1019 mcc = (void *) ptr; ptr += sizeof(*mcc);
1020 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1021 mcc->len = __len8(0);
1022
1023 *ptr = __fcs(buf); ptr++;
1024
1025 return rfcomm_send_frame(s, buf, ptr - buf);
1026}
1027
1028static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1029{
1030 struct rfcomm_hdr *hdr;
1031 struct rfcomm_mcc *mcc;
1032 u8 buf[16], *ptr = buf;
1033
1034 BT_DBG("%p cr %d", s, cr);
1035
1036 hdr = (void *) ptr; ptr += sizeof(*hdr);
1037 hdr->addr = __addr(s->initiator, 0);
1038 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1039 hdr->len = __len8(sizeof(*mcc));
1040
1041 mcc = (void *) ptr; ptr += sizeof(*mcc);
1042 mcc->type = __mcc_type(cr, RFCOMM_FCON);
1043 mcc->len = __len8(0);
1044
1045 *ptr = __fcs(buf); ptr++;
1046
1047 return rfcomm_send_frame(s, buf, ptr - buf);
1048}
1049
1050static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1051{
1052 struct socket *sock = s->sock;
1053 struct kvec iv[3];
1054 struct msghdr msg;
1055 unsigned char hdr[5], crc[1];
1056
1057 if (len > 125)
1058 return -EINVAL;
1059
1060 BT_DBG("%p cr %d", s, cr);
1061
1062 hdr[0] = __addr(s->initiator, 0);
1063 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1064 hdr[2] = 0x01 | ((len + 2) << 1);
1065 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1066 hdr[4] = 0x01 | (len << 1);
1067
1068 crc[0] = __fcs(hdr);
1069
1070 iv[0].iov_base = hdr;
1071 iv[0].iov_len = 5;
1072 iv[1].iov_base = pattern;
1073 iv[1].iov_len = len;
1074 iv[2].iov_base = crc;
1075 iv[2].iov_len = 1;
1076
1077 memset(&msg, 0, sizeof(msg));
1078
1079 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1080}
1081
1082static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1083{
1084 struct rfcomm_hdr *hdr;
1085 u8 buf[16], *ptr = buf;
1086
1087 BT_DBG("%p addr %d credits %d", s, addr, credits);
1088
1089 hdr = (void *) ptr; ptr += sizeof(*hdr);
1090 hdr->addr = addr;
1091 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1092 hdr->len = __len8(0);
1093
1094 *ptr = credits; ptr++;
1095
1096 *ptr = __fcs(buf); ptr++;
1097
1098 return rfcomm_send_frame(s, buf, ptr - buf);
1099}
1100
1101static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1102{
1103 struct rfcomm_hdr *hdr;
1104 int len = skb->len;
1105 u8 *crc;
1106
1107 if (len > 127) {
1108 hdr = (void *) skb_push(skb, 4);
1109 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1110 } else {
1111 hdr = (void *) skb_push(skb, 3);
1112 hdr->len = __len8(len);
1113 }
1114 hdr->addr = addr;
1115 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1116
1117 crc = skb_put(skb, 1);
1118 *crc = __fcs((void *) hdr);
1119}
1120
1121/* ---- RFCOMM frame reception ---- */
1122static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1123{
1124 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1125
1126 if (dlci) {
1127 /* Data channel */
1128 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1129 if (!d) {
1130 rfcomm_send_dm(s, dlci);
1131 return 0;
1132 }
1133
1134 switch (d->state) {
1135 case BT_CONNECT:
1136 rfcomm_dlc_clear_timer(d);
1137
1138 rfcomm_dlc_lock(d);
1139 d->state = BT_CONNECTED;
1140 d->state_change(d, 0);
1141 rfcomm_dlc_unlock(d);
1142
1143 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1144 break;
1145
1146 case BT_DISCONN:
1147 d->state = BT_CLOSED;
1148 __rfcomm_dlc_close(d, 0);
1149
1150 if (list_empty(&s->dlcs)) {
1151 s->state = BT_DISCONN;
1152 rfcomm_send_disc(s, 0);
1153 rfcomm_session_clear_timer(s);
1154 }
1155
1156 break;
1157 }
1158 } else {
1159 /* Control channel */
1160 switch (s->state) {
1161 case BT_CONNECT:
1162 s->state = BT_CONNECTED;
1163 rfcomm_process_connect(s);
1164 break;
1165
1166 case BT_DISCONN:
1167 /* rfcomm_session_put is called later so don't do
1168 * anything here otherwise we will mess up the session
1169 * reference counter:
1170 *
1171 * (a) when we are the initiator dlc_unlink will drive
1172 * the reference counter to 0 (there is no initial put
1173 * after session_add)
1174 *
1175 * (b) when we are not the initiator rfcomm_rx_process
1176 * will explicitly call put to balance the initial hold
1177 * done after session add.
1178 */
1179 break;
1180 }
1181 }
1182 return 0;
1183}
1184
1185static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1186{
1187 int err = 0;
1188
1189 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1190
1191 if (dlci) {
1192 /* Data DLC */
1193 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1194 if (d) {
1195 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1196 err = ECONNREFUSED;
1197 else
1198 err = ECONNRESET;
1199
1200 d->state = BT_CLOSED;
1201 __rfcomm_dlc_close(d, err);
1202 }
1203 } else {
1204 if (s->state == BT_CONNECT)
1205 err = ECONNREFUSED;
1206 else
1207 err = ECONNRESET;
1208
1209 s->state = BT_CLOSED;
1210 rfcomm_session_close(s, err);
1211 }
1212 return 0;
1213}
1214
1215static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1216{
1217 int err = 0;
1218
1219 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1220
1221 if (dlci) {
1222 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1223 if (d) {
1224 rfcomm_send_ua(s, dlci);
1225
1226 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1227 err = ECONNREFUSED;
1228 else
1229 err = ECONNRESET;
1230
1231 d->state = BT_CLOSED;
1232 __rfcomm_dlc_close(d, err);
1233 } else
1234 rfcomm_send_dm(s, dlci);
1235
1236 } else {
1237 rfcomm_send_ua(s, 0);
1238
1239 if (s->state == BT_CONNECT)
1240 err = ECONNREFUSED;
1241 else
1242 err = ECONNRESET;
1243
1244 s->state = BT_CLOSED;
1245 rfcomm_session_close(s, err);
1246 }
1247
1248 return 0;
1249}
1250
1251void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1252{
1253 struct sock *sk = d->session->sock->sk;
1254 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1255
1256 BT_DBG("dlc %p", d);
1257
1258 rfcomm_send_ua(d->session, d->dlci);
1259
1260 rfcomm_dlc_clear_timer(d);
1261
1262 rfcomm_dlc_lock(d);
1263 d->state = BT_CONNECTED;
1264 d->state_change(d, 0);
1265 rfcomm_dlc_unlock(d);
1266
1267 if (d->role_switch)
1268 hci_conn_switch_role(conn->hcon, 0x00);
1269
1270 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1271}
1272
1273static void rfcomm_check_accept(struct rfcomm_dlc *d)
1274{
1275 if (rfcomm_check_security(d)) {
1276 if (d->defer_setup) {
1277 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1278 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1279
1280 rfcomm_dlc_lock(d);
1281 d->state = BT_CONNECT2;
1282 d->state_change(d, 0);
1283 rfcomm_dlc_unlock(d);
1284 } else
1285 rfcomm_dlc_accept(d);
1286 } else {
1287 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1288 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1289 }
1290}
1291
1292static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1293{
1294 struct rfcomm_dlc *d;
1295 u8 channel;
1296
1297 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1298
1299 if (!dlci) {
1300 rfcomm_send_ua(s, 0);
1301
1302 if (s->state == BT_OPEN) {
1303 s->state = BT_CONNECTED;
1304 rfcomm_process_connect(s);
1305 }
1306 return 0;
1307 }
1308
1309 /* Check if DLC exists */
1310 d = rfcomm_dlc_get(s, dlci);
1311 if (d) {
1312 if (d->state == BT_OPEN) {
1313 /* DLC was previously opened by PN request */
1314 rfcomm_check_accept(d);
1315 }
1316 return 0;
1317 }
1318
1319 /* Notify socket layer about incoming connection */
1320 channel = __srv_channel(dlci);
1321 if (rfcomm_connect_ind(s, channel, &d)) {
1322 d->dlci = dlci;
1323 d->addr = __addr(s->initiator, dlci);
1324 rfcomm_dlc_link(s, d);
1325
1326 rfcomm_check_accept(d);
1327 } else {
1328 rfcomm_send_dm(s, dlci);
1329 }
1330
1331 return 0;
1332}
1333
1334static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1335{
1336 struct rfcomm_session *s = d->session;
1337
1338 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1339 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1340
1341 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1342 pn->flow_ctrl == 0xe0) {
1343 d->cfc = RFCOMM_CFC_ENABLED;
1344 d->tx_credits = pn->credits;
1345 } else {
1346 d->cfc = RFCOMM_CFC_DISABLED;
1347 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1348 }
1349
1350 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1351 s->cfc = d->cfc;
1352
1353 d->priority = pn->priority;
1354
1355 d->mtu = __le16_to_cpu(pn->mtu);
1356
1357 if (cr && d->mtu > s->mtu)
1358 d->mtu = s->mtu;
1359
1360 return 0;
1361}
1362
1363static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1364{
1365 struct rfcomm_pn *pn = (void *) skb->data;
1366 struct rfcomm_dlc *d;
1367 u8 dlci = pn->dlci;
1368
1369 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1370
1371 if (!dlci)
1372 return 0;
1373
1374 d = rfcomm_dlc_get(s, dlci);
1375 if (d) {
1376 if (cr) {
1377 /* PN request */
1378 rfcomm_apply_pn(d, cr, pn);
1379 rfcomm_send_pn(s, 0, d);
1380 } else {
1381 /* PN response */
1382 switch (d->state) {
1383 case BT_CONFIG:
1384 rfcomm_apply_pn(d, cr, pn);
1385
1386 d->state = BT_CONNECT;
1387 rfcomm_send_sabm(s, d->dlci);
1388 break;
1389 }
1390 }
1391 } else {
1392 u8 channel = __srv_channel(dlci);
1393
1394 if (!cr)
1395 return 0;
1396
1397 /* PN request for non existing DLC.
1398 * Assume incoming connection. */
1399 if (rfcomm_connect_ind(s, channel, &d)) {
1400 d->dlci = dlci;
1401 d->addr = __addr(s->initiator, dlci);
1402 rfcomm_dlc_link(s, d);
1403
1404 rfcomm_apply_pn(d, cr, pn);
1405
1406 d->state = BT_OPEN;
1407 rfcomm_send_pn(s, 0, d);
1408 } else {
1409 rfcomm_send_dm(s, dlci);
1410 }
1411 }
1412 return 0;
1413}
1414
1415static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1416{
1417 struct rfcomm_rpn *rpn = (void *) skb->data;
1418 u8 dlci = __get_dlci(rpn->dlci);
1419
1420 u8 bit_rate = 0;
1421 u8 data_bits = 0;
1422 u8 stop_bits = 0;
1423 u8 parity = 0;
1424 u8 flow_ctrl = 0;
1425 u8 xon_char = 0;
1426 u8 xoff_char = 0;
1427 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1428
1429 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1430 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1431 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1432
1433 if (!cr)
1434 return 0;
1435
1436 if (len == 1) {
1437 /* This is a request, return default (according to ETSI TS 07.10) settings */
1438 bit_rate = RFCOMM_RPN_BR_9600;
1439 data_bits = RFCOMM_RPN_DATA_8;
1440 stop_bits = RFCOMM_RPN_STOP_1;
1441 parity = RFCOMM_RPN_PARITY_NONE;
1442 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1443 xon_char = RFCOMM_RPN_XON_CHAR;
1444 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1445 goto rpn_out;
1446 }
1447
1448 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1449 * no parity, no flow control lines, normal XON/XOFF chars */
1450
1451 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1452 bit_rate = rpn->bit_rate;
1453 if (bit_rate > RFCOMM_RPN_BR_230400) {
1454 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1455 bit_rate = RFCOMM_RPN_BR_9600;
1456 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1457 }
1458 }
1459
1460 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1461 data_bits = __get_rpn_data_bits(rpn->line_settings);
1462 if (data_bits != RFCOMM_RPN_DATA_8) {
1463 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1464 data_bits = RFCOMM_RPN_DATA_8;
1465 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1466 }
1467 }
1468
1469 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1470 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1471 if (stop_bits != RFCOMM_RPN_STOP_1) {
1472 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1473 stop_bits = RFCOMM_RPN_STOP_1;
1474 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1475 }
1476 }
1477
1478 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1479 parity = __get_rpn_parity(rpn->line_settings);
1480 if (parity != RFCOMM_RPN_PARITY_NONE) {
1481 BT_DBG("RPN parity mismatch 0x%x", parity);
1482 parity = RFCOMM_RPN_PARITY_NONE;
1483 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1484 }
1485 }
1486
1487 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1488 flow_ctrl = rpn->flow_ctrl;
1489 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1490 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1491 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1492 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1493 }
1494 }
1495
1496 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1497 xon_char = rpn->xon_char;
1498 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1499 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1500 xon_char = RFCOMM_RPN_XON_CHAR;
1501 rpn_mask ^= RFCOMM_RPN_PM_XON;
1502 }
1503 }
1504
1505 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1506 xoff_char = rpn->xoff_char;
1507 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1508 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1509 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1510 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1511 }
1512 }
1513
1514rpn_out:
1515 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1516 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1517
1518 return 0;
1519}
1520
1521static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1522{
1523 struct rfcomm_rls *rls = (void *) skb->data;
1524 u8 dlci = __get_dlci(rls->dlci);
1525
1526 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1527
1528 if (!cr)
1529 return 0;
1530
1531 /* We should probably do something with this information here. But
1532 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1533 * mandatory to recognise and respond to RLS */
1534
1535 rfcomm_send_rls(s, 0, dlci, rls->status);
1536
1537 return 0;
1538}
1539
1540static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1541{
1542 struct rfcomm_msc *msc = (void *) skb->data;
1543 struct rfcomm_dlc *d;
1544 u8 dlci = __get_dlci(msc->dlci);
1545
1546 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1547
1548 d = rfcomm_dlc_get(s, dlci);
1549 if (!d)
1550 return 0;
1551
1552 if (cr) {
1553 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1554 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1555 else
1556 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1557
1558 rfcomm_dlc_lock(d);
1559
1560 d->remote_v24_sig = msc->v24_sig;
1561
1562 if (d->modem_status)
1563 d->modem_status(d, msc->v24_sig);
1564
1565 rfcomm_dlc_unlock(d);
1566
1567 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1568
1569 d->mscex |= RFCOMM_MSCEX_RX;
1570 } else
1571 d->mscex |= RFCOMM_MSCEX_TX;
1572
1573 return 0;
1574}
1575
1576static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1577{
1578 struct rfcomm_mcc *mcc = (void *) skb->data;
1579 u8 type, cr, len;
1580
1581 cr = __test_cr(mcc->type);
1582 type = __get_mcc_type(mcc->type);
1583 len = __get_mcc_len(mcc->len);
1584
1585 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1586
1587 skb_pull(skb, 2);
1588
1589 switch (type) {
1590 case RFCOMM_PN:
1591 rfcomm_recv_pn(s, cr, skb);
1592 break;
1593
1594 case RFCOMM_RPN:
1595 rfcomm_recv_rpn(s, cr, len, skb);
1596 break;
1597
1598 case RFCOMM_RLS:
1599 rfcomm_recv_rls(s, cr, skb);
1600 break;
1601
1602 case RFCOMM_MSC:
1603 rfcomm_recv_msc(s, cr, skb);
1604 break;
1605
1606 case RFCOMM_FCOFF:
1607 if (cr) {
1608 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1609 rfcomm_send_fcoff(s, 0);
1610 }
1611 break;
1612
1613 case RFCOMM_FCON:
1614 if (cr) {
1615 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1616 rfcomm_send_fcon(s, 0);
1617 }
1618 break;
1619
1620 case RFCOMM_TEST:
1621 if (cr)
1622 rfcomm_send_test(s, 0, skb->data, skb->len);
1623 break;
1624
1625 case RFCOMM_NSC:
1626 break;
1627
1628 default:
1629 BT_ERR("Unknown control type 0x%02x", type);
1630 rfcomm_send_nsc(s, cr, type);
1631 break;
1632 }
1633 return 0;
1634}
1635
1636static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1637{
1638 struct rfcomm_dlc *d;
1639
1640 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1641
1642 d = rfcomm_dlc_get(s, dlci);
1643 if (!d) {
1644 rfcomm_send_dm(s, dlci);
1645 goto drop;
1646 }
1647
1648 if (pf && d->cfc) {
1649 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1650
1651 d->tx_credits += credits;
1652 if (d->tx_credits)
1653 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1654 }
1655
1656 if (skb->len && d->state == BT_CONNECTED) {
1657 rfcomm_dlc_lock(d);
1658 d->rx_credits--;
1659 d->data_ready(d, skb);
1660 rfcomm_dlc_unlock(d);
1661 return 0;
1662 }
1663
1664drop:
1665 kfree_skb(skb);
1666 return 0;
1667}
1668
1669static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1670{
1671 struct rfcomm_hdr *hdr = (void *) skb->data;
1672 u8 type, dlci, fcs;
1673
1674 dlci = __get_dlci(hdr->addr);
1675 type = __get_type(hdr->ctrl);
1676
1677 /* Trim FCS */
1678 skb->len--; skb->tail--;
1679 fcs = *(u8 *)skb_tail_pointer(skb);
1680
1681 if (__check_fcs(skb->data, type, fcs)) {
1682 BT_ERR("bad checksum in packet");
1683 kfree_skb(skb);
1684 return -EILSEQ;
1685 }
1686
1687 if (__test_ea(hdr->len))
1688 skb_pull(skb, 3);
1689 else
1690 skb_pull(skb, 4);
1691
1692 switch (type) {
1693 case RFCOMM_SABM:
1694 if (__test_pf(hdr->ctrl))
1695 rfcomm_recv_sabm(s, dlci);
1696 break;
1697
1698 case RFCOMM_DISC:
1699 if (__test_pf(hdr->ctrl))
1700 rfcomm_recv_disc(s, dlci);
1701 break;
1702
1703 case RFCOMM_UA:
1704 if (__test_pf(hdr->ctrl))
1705 rfcomm_recv_ua(s, dlci);
1706 break;
1707
1708 case RFCOMM_DM:
1709 rfcomm_recv_dm(s, dlci);
1710 break;
1711
1712 case RFCOMM_UIH:
1713 if (dlci)
1714 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1715
1716 rfcomm_recv_mcc(s, skb);
1717 break;
1718
1719 default:
1720 BT_ERR("Unknown packet type 0x%02x", type);
1721 break;
1722 }
1723 kfree_skb(skb);
1724 return 0;
1725}
1726
1727/* ---- Connection and data processing ---- */
1728
1729static void rfcomm_process_connect(struct rfcomm_session *s)
1730{
1731 struct rfcomm_dlc *d;
1732 struct list_head *p, *n;
1733
1734 BT_DBG("session %p state %ld", s, s->state);
1735
1736 list_for_each_safe(p, n, &s->dlcs) {
1737 d = list_entry(p, struct rfcomm_dlc, list);
1738 if (d->state == BT_CONFIG) {
1739 d->mtu = s->mtu;
1740 if (rfcomm_check_security(d)) {
1741 rfcomm_send_pn(s, 1, d);
1742 } else {
1743 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1744 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1745 }
1746 }
1747 }
1748}
1749
1750/* Send data queued for the DLC.
1751 * Return number of frames left in the queue.
1752 */
1753static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1754{
1755 struct sk_buff *skb;
1756 int err;
1757
1758 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1759 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1760
1761 /* Send pending MSC */
1762 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1763 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1764
1765 if (d->cfc) {
1766 /* CFC enabled.
1767 * Give them some credits */
1768 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1769 d->rx_credits <= (d->cfc >> 2)) {
1770 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1771 d->rx_credits = d->cfc;
1772 }
1773 } else {
1774 /* CFC disabled.
1775 * Give ourselves some credits */
1776 d->tx_credits = 5;
1777 }
1778
1779 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1780 return skb_queue_len(&d->tx_queue);
1781
1782 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1783 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1784 if (err < 0) {
1785 skb_queue_head(&d->tx_queue, skb);
1786 break;
1787 }
1788 kfree_skb(skb);
1789 d->tx_credits--;
1790 }
1791
1792 if (d->cfc && !d->tx_credits) {
1793 /* We're out of TX credits.
1794 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1795 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1796 }
1797
1798 return skb_queue_len(&d->tx_queue);
1799}
1800
1801static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1802{
1803 struct rfcomm_dlc *d;
1804 struct list_head *p, *n;
1805
1806 BT_DBG("session %p state %ld", s, s->state);
1807
1808 list_for_each_safe(p, n, &s->dlcs) {
1809 d = list_entry(p, struct rfcomm_dlc, list);
1810
1811 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1812 __rfcomm_dlc_close(d, ETIMEDOUT);
1813 continue;
1814 }
1815
1816 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1817 __rfcomm_dlc_close(d, ECONNREFUSED);
1818 continue;
1819 }
1820
1821 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1822 rfcomm_dlc_clear_timer(d);
1823 if (d->out) {
1824 rfcomm_send_pn(s, 1, d);
1825 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1826 } else {
1827 if (d->defer_setup) {
1828 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1829 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1830
1831 rfcomm_dlc_lock(d);
1832 d->state = BT_CONNECT2;
1833 d->state_change(d, 0);
1834 rfcomm_dlc_unlock(d);
1835 } else
1836 rfcomm_dlc_accept(d);
1837 }
1838 continue;
1839 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1840 rfcomm_dlc_clear_timer(d);
1841 if (!d->out)
1842 rfcomm_send_dm(s, d->dlci);
1843 else
1844 d->state = BT_CLOSED;
1845 __rfcomm_dlc_close(d, ECONNREFUSED);
1846 continue;
1847 }
1848
1849 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1850 continue;
1851
1852 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1853 continue;
1854
1855 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1856 d->mscex == RFCOMM_MSCEX_OK)
1857 rfcomm_process_tx(d);
1858 }
1859}
1860
1861static inline void rfcomm_process_rx(struct rfcomm_session *s)
1862{
1863 struct socket *sock = s->sock;
1864 struct sock *sk = sock->sk;
1865 struct sk_buff *skb;
1866
1867 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1868
1869 /* Get data directly from socket receive queue without copying it. */
1870 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1871 skb_orphan(skb);
1872 if (!skb_linearize(skb))
1873 rfcomm_recv_frame(s, skb);
1874 else
1875 kfree_skb(skb);
1876 }
1877
1878 if (sk->sk_state == BT_CLOSED) {
1879 if (!s->initiator)
1880 rfcomm_session_put(s);
1881
1882 rfcomm_session_close(s, sk->sk_err);
1883 }
1884}
1885
1886static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1887{
1888 struct socket *sock = s->sock, *nsock;
1889 int err;
1890
1891 /* Fast check for a new connection.
1892 * Avoids unnesesary socket allocations. */
1893 if (list_empty(&bt_sk(sock->sk)->accept_q))
1894 return;
1895
1896 BT_DBG("session %p", s);
1897
1898 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1899 if (err < 0)
1900 return;
1901
1902 /* Set our callbacks */
1903 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1904 nsock->sk->sk_state_change = rfcomm_l2state_change;
1905
1906 s = rfcomm_session_add(nsock, BT_OPEN);
1907 if (s) {
1908 rfcomm_session_hold(s);
1909
1910 /* We should adjust MTU on incoming sessions.
1911 * L2CAP MTU minus UIH header and FCS. */
1912 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1913 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1914
1915 rfcomm_schedule();
1916 } else
1917 sock_release(nsock);
1918}
1919
1920static inline void rfcomm_check_connection(struct rfcomm_session *s)
1921{
1922 struct sock *sk = s->sock->sk;
1923
1924 BT_DBG("%p state %ld", s, s->state);
1925
1926 switch (sk->sk_state) {
1927 case BT_CONNECTED:
1928 s->state = BT_CONNECT;
1929
1930 /* We can adjust MTU on outgoing sessions.
1931 * L2CAP MTU minus UIH header and FCS. */
1932 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1933
1934 rfcomm_send_sabm(s, 0);
1935 break;
1936
1937 case BT_CLOSED:
1938 s->state = BT_CLOSED;
1939 rfcomm_session_close(s, sk->sk_err);
1940 break;
1941 }
1942}
1943
1944static inline void rfcomm_process_sessions(void)
1945{
1946 struct list_head *p, *n;
1947
1948 rfcomm_lock();
1949
1950 list_for_each_safe(p, n, &session_list) {
1951 struct rfcomm_session *s;
1952 s = list_entry(p, struct rfcomm_session, list);
1953
1954 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1955 s->state = BT_DISCONN;
1956 rfcomm_send_disc(s, 0);
1957 rfcomm_session_put(s);
1958 continue;
1959 }
1960
1961 if (s->state == BT_LISTEN) {
1962 rfcomm_accept_connection(s);
1963 continue;
1964 }
1965
1966 rfcomm_session_hold(s);
1967
1968 switch (s->state) {
1969 case BT_BOUND:
1970 rfcomm_check_connection(s);
1971 break;
1972
1973 default:
1974 rfcomm_process_rx(s);
1975 break;
1976 }
1977
1978 rfcomm_process_dlcs(s);
1979
1980 rfcomm_session_put(s);
1981 }
1982
1983 rfcomm_unlock();
1984}
1985
1986static int rfcomm_add_listener(bdaddr_t *ba)
1987{
1988 struct sockaddr_l2 addr;
1989 struct socket *sock;
1990 struct sock *sk;
1991 struct rfcomm_session *s;
1992 int err = 0;
1993
1994 /* Create socket */
1995 err = rfcomm_l2sock_create(&sock);
1996 if (err < 0) {
1997 BT_ERR("Create socket failed %d", err);
1998 return err;
1999 }
2000
2001 /* Bind socket */
2002 bacpy(&addr.l2_bdaddr, ba);
2003 addr.l2_family = AF_BLUETOOTH;
2004 addr.l2_psm = cpu_to_le16(RFCOMM_PSM);
2005 addr.l2_cid = 0;
2006 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2007 if (err < 0) {
2008 BT_ERR("Bind failed %d", err);
2009 goto failed;
2010 }
2011
2012 /* Set L2CAP options */
2013 sk = sock->sk;
2014 lock_sock(sk);
2015 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2016 release_sock(sk);
2017
2018 /* Start listening on the socket */
2019 err = kernel_listen(sock, 10);
2020 if (err) {
2021 BT_ERR("Listen failed %d", err);
2022 goto failed;
2023 }
2024
2025 /* Add listening session */
2026 s = rfcomm_session_add(sock, BT_LISTEN);
2027 if (!s)
2028 goto failed;
2029
2030 rfcomm_session_hold(s);
2031 return 0;
2032failed:
2033 sock_release(sock);
2034 return err;
2035}
2036
2037static void rfcomm_kill_listener(void)
2038{
2039 struct rfcomm_session *s;
2040 struct list_head *p, *n;
2041
2042 BT_DBG("");
2043
2044 list_for_each_safe(p, n, &session_list) {
2045 s = list_entry(p, struct rfcomm_session, list);
2046 rfcomm_session_del(s);
2047 }
2048}
2049
2050static int rfcomm_run(void *unused)
2051{
2052 BT_DBG("");
2053
2054 set_user_nice(current, -10);
2055
2056 rfcomm_add_listener(BDADDR_ANY);
2057
2058 while (1) {
2059 set_current_state(TASK_INTERRUPTIBLE);
2060
2061 if (kthread_should_stop())
2062 break;
2063
2064 /* Process stuff */
2065 rfcomm_process_sessions();
2066
2067 schedule();
2068 }
2069 __set_current_state(TASK_RUNNING);
2070
2071 rfcomm_kill_listener();
2072
2073 return 0;
2074}
2075
2076static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2077{
2078 struct rfcomm_session *s;
2079 struct rfcomm_dlc *d;
2080 struct list_head *p, *n;
2081
2082 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2083
2084 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2085 if (!s)
2086 return;
2087
2088 rfcomm_session_hold(s);
2089
2090 list_for_each_safe(p, n, &s->dlcs) {
2091 d = list_entry(p, struct rfcomm_dlc, list);
2092
2093 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2094 rfcomm_dlc_clear_timer(d);
2095 if (status || encrypt == 0x00) {
2096 set_bit(RFCOMM_ENC_DROP, &d->flags);
2097 continue;
2098 }
2099 }
2100
2101 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2102 if (d->sec_level == BT_SECURITY_MEDIUM) {
2103 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2104 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2105 continue;
2106 } else if (d->sec_level == BT_SECURITY_HIGH) {
2107 set_bit(RFCOMM_ENC_DROP, &d->flags);
2108 continue;
2109 }
2110 }
2111
2112 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2113 continue;
2114
2115 if (!status && hci_conn_check_secure(conn, d->sec_level))
2116 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2117 else
2118 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2119 }
2120
2121 rfcomm_session_put(s);
2122
2123 rfcomm_schedule();
2124}
2125
2126static struct hci_cb rfcomm_cb = {
2127 .name = "RFCOMM",
2128 .security_cfm = rfcomm_security_cfm
2129};
2130
2131static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2132{
2133 struct rfcomm_session *s;
2134
2135 rfcomm_lock();
2136
2137 list_for_each_entry(s, &session_list, list) {
2138 struct rfcomm_dlc *d;
2139 list_for_each_entry(d, &s->dlcs, list) {
2140 struct sock *sk = s->sock->sk;
2141
2142 seq_printf(f, "%s %s %ld %d %d %d %d\n",
2143 batostr(&bt_sk(sk)->src),
2144 batostr(&bt_sk(sk)->dst),
2145 d->state, d->dlci, d->mtu,
2146 d->rx_credits, d->tx_credits);
2147 }
2148 }
2149
2150 rfcomm_unlock();
2151
2152 return 0;
2153}
2154
2155static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2156{
2157 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2158}
2159
2160static const struct file_operations rfcomm_dlc_debugfs_fops = {
2161 .open = rfcomm_dlc_debugfs_open,
2162 .read = seq_read,
2163 .llseek = seq_lseek,
2164 .release = single_release,
2165};
2166
2167static struct dentry *rfcomm_dlc_debugfs;
2168
2169/* ---- Initialization ---- */
2170static int __init rfcomm_init(void)
2171{
2172 int err;
2173
2174 hci_register_cb(&rfcomm_cb);
2175
2176 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2177 if (IS_ERR(rfcomm_thread)) {
2178 err = PTR_ERR(rfcomm_thread);
2179 goto unregister;
2180 }
2181
2182 if (bt_debugfs) {
2183 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2184 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2185 if (!rfcomm_dlc_debugfs)
2186 BT_ERR("Failed to create RFCOMM debug file");
2187 }
2188
2189 err = rfcomm_init_ttys();
2190 if (err < 0)
2191 goto stop;
2192
2193 err = rfcomm_init_sockets();
2194 if (err < 0)
2195 goto cleanup;
2196
2197 BT_INFO("RFCOMM ver %s", VERSION);
2198
2199 return 0;
2200
2201cleanup:
2202 rfcomm_cleanup_ttys();
2203
2204stop:
2205 kthread_stop(rfcomm_thread);
2206
2207unregister:
2208 hci_unregister_cb(&rfcomm_cb);
2209
2210 return err;
2211}
2212
2213static void __exit rfcomm_exit(void)
2214{
2215 debugfs_remove(rfcomm_dlc_debugfs);
2216
2217 hci_unregister_cb(&rfcomm_cb);
2218
2219 kthread_stop(rfcomm_thread);
2220
2221 rfcomm_cleanup_ttys();
2222
2223 rfcomm_cleanup_sockets();
2224}
2225
2226module_init(rfcomm_init);
2227module_exit(rfcomm_exit);
2228
2229module_param(disable_cfc, bool, 0644);
2230MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2231
2232module_param(channel_mtu, int, 0644);
2233MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2234
2235module_param(l2cap_mtu, uint, 0644);
2236MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2237
2238module_param(l2cap_ertm, bool, 0644);
2239MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2240
2241MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2242MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2243MODULE_VERSION(VERSION);
2244MODULE_LICENSE("GPL");
2245MODULE_ALIAS("bt-proto-3");