1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * Bluetooth RFCOMM core.
26 */
27
28 #include <linux/module.h>
29 #include <linux/debugfs.h>
30 #include <linux/kthread.h>
31 #include <asm/unaligned.h>
32
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35 #include <net/bluetooth/l2cap.h>
36 #include <net/bluetooth/rfcomm.h>
37
38 #include <trace/events/sock.h>
39
40 #define VERSION "1.11"
41
42 static bool disable_cfc;
43 static bool l2cap_ertm;
44 static int channel_mtu = -1;
45
46 static struct task_struct *rfcomm_thread;
47
48 static DEFINE_MUTEX(rfcomm_mutex);
49 #define rfcomm_lock() mutex_lock(&rfcomm_mutex)
50 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
51
52
53 static LIST_HEAD(session_list);
54
55 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
56 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
57 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
58 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
59 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
60 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
61 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
62 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
63 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
64 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
65
66 static void rfcomm_process_connect(struct rfcomm_session *s);
67
68 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
69 bdaddr_t *dst,
70 u8 sec_level,
71 int *err);
72 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
73 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
74
75 /* ---- RFCOMM frame parsing macros ---- */
76 #define __get_dlci(b) ((b & 0xfc) >> 2)
77 #define __get_type(b) ((b & 0xef))
78
79 #define __test_ea(b) ((b & 0x01))
80 #define __test_cr(b) (!!(b & 0x02))
81 #define __test_pf(b) (!!(b & 0x10))
82
83 #define __session_dir(s) ((s)->initiator ? 0x00 : 0x01)
84
85 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
86 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
87 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
88 #define __srv_channel(dlci) (dlci >> 1)
89
90 #define __len8(len) (((len) << 1) | 1)
91 #define __len16(len) ((len) << 1)
92
93 /* MCC macros */
94 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
95 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
96 #define __get_mcc_len(b) ((b & 0xfe) >> 1)
97
98 /* RPN macros */
99 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
100 #define __get_rpn_data_bits(line) ((line) & 0x3)
101 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
102 #define __get_rpn_parity(line) (((line) >> 3) & 0x7)
103
104 static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq);
105
106 static void rfcomm_schedule(void)
107 {
108 wake_up_all(&rfcomm_wq);
109 }
110
111 /* ---- RFCOMM FCS computation ---- */
112
113 /* reversed, 8-bit, poly=0x07 */
114 static unsigned char rfcomm_crc_table[256] = {
115 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
116 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
117 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
118 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
119
120 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
121 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
122 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
123 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
124
125 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
126 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
127 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
128 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
129
130 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
131 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
132 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
133 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
134
135 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
136 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
137 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
138 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
139
140 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
141 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
142 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
143 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
144
145 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
146 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
147 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
148 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
149
150 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
151 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
152 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
153 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
154 };
155
156 /* CRC on 2 bytes */
157 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
158
159 /* FCS on 2 bytes */
160 static inline u8 __fcs(u8 *data)
161 {
162 return 0xff - __crc(data);
163 }
164
165 /* FCS on 3 bytes */
166 static inline u8 __fcs2(u8 *data)
167 {
168 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
169 }
170
171 /* Check FCS */
172 static inline int __check_fcs(u8 *data, int type, u8 fcs)
173 {
174 u8 f = __crc(data);
175
176 if (type != RFCOMM_UIH)
177 f = rfcomm_crc_table[f ^ data[2]];
178
179 return rfcomm_crc_table[f ^ fcs] != 0xcf;
180 }
181
182 /* ---- L2CAP callbacks ---- */
183 static void rfcomm_l2state_change(struct sock *sk)
184 {
185 BT_DBG("%p state %d", sk, sk->sk_state);
186 rfcomm_schedule();
187 }
188
189 static void rfcomm_l2data_ready(struct sock *sk)
190 {
191 trace_sk_data_ready(sk);
192
193 BT_DBG("%p", sk);
194 rfcomm_schedule();
195 }
196
197 static int rfcomm_l2sock_create(struct socket **sock)
198 {
199 int err;
200
201 BT_DBG("");
202
203 err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
204 if (!err) {
205 struct sock *sk = (*sock)->sk;
206 sk->sk_data_ready = rfcomm_l2data_ready;
207 sk->sk_state_change = rfcomm_l2state_change;
208 }
209 return err;
210 }
211
212 static int rfcomm_check_security(struct rfcomm_dlc *d)
213 {
214 struct sock *sk = d->session->sock->sk;
215 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
216
217 __u8 auth_type;
218
219 switch (d->sec_level) {
220 case BT_SECURITY_HIGH:
221 case BT_SECURITY_FIPS:
222 auth_type = HCI_AT_GENERAL_BONDING_MITM;
223 break;
224 case BT_SECURITY_MEDIUM:
225 auth_type = HCI_AT_GENERAL_BONDING;
226 break;
227 default:
228 auth_type = HCI_AT_NO_BONDING;
229 break;
230 }
231
232 return hci_conn_security(conn->hcon, d->sec_level, auth_type,
233 d->out);
234 }
235
236 static void rfcomm_session_timeout(struct timer_list *t)
237 {
238 struct rfcomm_session *s = from_timer(s, t, timer);
239
240 BT_DBG("session %p state %ld", s, s->state);
241
242 set_bit(RFCOMM_TIMED_OUT, &s->flags);
243 rfcomm_schedule();
244 }
245
246 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
247 {
248 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
249
250 mod_timer(&s->timer, jiffies + timeout);
251 }
252
253 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
254 {
255 BT_DBG("session %p state %ld", s, s->state);
256
257 del_timer_sync(&s->timer);
258 }
259
260 /* ---- RFCOMM DLCs ---- */
261 static void rfcomm_dlc_timeout(struct timer_list *t)
262 {
263 struct rfcomm_dlc *d = from_timer(d, t, timer);
264
265 BT_DBG("dlc %p state %ld", d, d->state);
266
267 set_bit(RFCOMM_TIMED_OUT, &d->flags);
268 rfcomm_dlc_put(d);
269 rfcomm_schedule();
270 }
271
272 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
273 {
274 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
275
276 if (!mod_timer(&d->timer, jiffies + timeout))
277 rfcomm_dlc_hold(d);
278 }
279
280 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
281 {
282 BT_DBG("dlc %p state %ld", d, d->state);
283
284 if (del_timer(&d->timer))
285 rfcomm_dlc_put(d);
286 }
287
288 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
289 {
290 BT_DBG("%p", d);
291
292 d->state = BT_OPEN;
293 d->flags = 0;
294 d->mscex = 0;
295 d->sec_level = BT_SECURITY_LOW;
296 d->mtu = RFCOMM_DEFAULT_MTU;
297 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
298
299 d->cfc = RFCOMM_CFC_DISABLED;
300 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
301 }
302
303 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
304 {
305 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
306
307 if (!d)
308 return NULL;
309
310 timer_setup(&d->timer, rfcomm_dlc_timeout, 0);
311
312 skb_queue_head_init(&d->tx_queue);
313 mutex_init(&d->lock);
314 refcount_set(&d->refcnt, 1);
315
316 rfcomm_dlc_clear_state(d);
317
318 BT_DBG("%p", d);
319
320 return d;
321 }
322
323 void rfcomm_dlc_free(struct rfcomm_dlc *d)
324 {
325 BT_DBG("%p", d);
326
327 skb_queue_purge(&d->tx_queue);
328 kfree(d);
329 }
330
331 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
332 {
333 BT_DBG("dlc %p session %p", d, s);
334
335 rfcomm_session_clear_timer(s);
336 rfcomm_dlc_hold(d);
337 list_add(&d->list, &s->dlcs);
338 d->session = s;
339 }
340
341 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
342 {
343 struct rfcomm_session *s = d->session;
344
345 BT_DBG("dlc %p refcnt %d session %p", d, refcount_read(&d->refcnt), s);
346
347 list_del(&d->list);
348 d->session = NULL;
349 rfcomm_dlc_put(d);
350
351 if (list_empty(&s->dlcs))
352 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
353 }
354
355 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
356 {
357 struct rfcomm_dlc *d;
358
359 list_for_each_entry(d, &s->dlcs, list)
360 if (d->dlci == dlci)
361 return d;
362
363 return NULL;
364 }
365
366 static int rfcomm_check_channel(u8 channel)
367 {
368 return channel < 1 || channel > 30;
369 }
370
371 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
372 {
373 struct rfcomm_session *s;
374 int err = 0;
375 u8 dlci;
376
377 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
378 d, d->state, src, dst, channel);
379
380 if (rfcomm_check_channel(channel))
381 return -EINVAL;
382
383 if (d->state != BT_OPEN && d->state != BT_CLOSED)
384 return 0;
385
386 s = rfcomm_session_get(src, dst);
387 if (!s) {
388 s = rfcomm_session_create(src, dst, d->sec_level, &err);
389 if (!s)
390 return err;
391 }
392
393 dlci = __dlci(__session_dir(s), channel);
394
395 /* Check if DLCI already exists */
396 if (rfcomm_dlc_get(s, dlci))
397 return -EBUSY;
398
399 rfcomm_dlc_clear_state(d);
400
401 d->dlci = dlci;
402 d->addr = __addr(s->initiator, dlci);
403 d->priority = 7;
404
405 d->state = BT_CONFIG;
406 rfcomm_dlc_link(s, d);
407
408 d->out = 1;
409
410 d->mtu = s->mtu;
411 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
412
413 if (s->state == BT_CONNECTED) {
414 if (rfcomm_check_security(d))
415 rfcomm_send_pn(s, 1, d);
416 else
417 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
418 }
419
420 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
421
422 return 0;
423 }
424
425 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
426 {
427 int r;
428
429 rfcomm_lock();
430
431 r = __rfcomm_dlc_open(d, src, dst, channel);
432
433 rfcomm_unlock();
434 return r;
435 }
436
437 static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d)
438 {
439 struct rfcomm_session *s = d->session;
440
441 d->state = BT_DISCONN;
442 if (skb_queue_empty(&d->tx_queue)) {
443 rfcomm_send_disc(s, d->dlci);
444 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
445 } else {
446 rfcomm_queue_disc(d);
447 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
448 }
449 }
450
451 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
452 {
453 struct rfcomm_session *s = d->session;
454 if (!s)
455 return 0;
456
457 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
458 d, d->state, d->dlci, err, s);
459
460 switch (d->state) {
461 case BT_CONNECT:
462 case BT_CONFIG:
463 case BT_OPEN:
464 case BT_CONNECT2:
465 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
466 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
467 rfcomm_schedule();
468 return 0;
469 }
470 }
471
472 switch (d->state) {
473 case BT_CONNECT:
474 case BT_CONNECTED:
475 __rfcomm_dlc_disconn(d);
476 break;
477
478 case BT_CONFIG:
479 if (s->state != BT_BOUND) {
480 __rfcomm_dlc_disconn(d);
481 break;
482 }
483 /* if closing a dlc in a session that hasn't been started,
484 * just close and unlink the dlc
485 */
486 fallthrough;
487
488 default:
489 rfcomm_dlc_clear_timer(d);
490
491 rfcomm_dlc_lock(d);
492 d->state = BT_CLOSED;
493 d->state_change(d, err);
494 rfcomm_dlc_unlock(d);
495
496 skb_queue_purge(&d->tx_queue);
497 rfcomm_dlc_unlink(d);
498 }
499
500 return 0;
501 }
502
503 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
504 {
505 int r = 0;
506 struct rfcomm_dlc *d_list;
507 struct rfcomm_session *s, *s_list;
508
509 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
510
511 rfcomm_lock();
512
513 s = d->session;
514 if (!s)
515 goto no_session;
516
517 /* after waiting on the mutex check the session still exists
518 * then check the dlc still exists
519 */
520 list_for_each_entry(s_list, &session_list, list) {
521 if (s_list == s) {
522 list_for_each_entry(d_list, &s->dlcs, list) {
523 if (d_list == d) {
524 r = __rfcomm_dlc_close(d, err);
525 break;
526 }
527 }
528 break;
529 }
530 }
531
532 no_session:
533 rfcomm_unlock();
534 return r;
535 }
536
537 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
538 {
539 struct rfcomm_session *s;
540 struct rfcomm_dlc *dlc = NULL;
541 u8 dlci;
542
543 if (rfcomm_check_channel(channel))
544 return ERR_PTR(-EINVAL);
545
546 rfcomm_lock();
547 s = rfcomm_session_get(src, dst);
548 if (s) {
549 dlci = __dlci(__session_dir(s), channel);
550 dlc = rfcomm_dlc_get(s, dlci);
551 }
552 rfcomm_unlock();
553 return dlc;
554 }
555
556 static int rfcomm_dlc_send_frag(struct rfcomm_dlc *d, struct sk_buff *frag)
557 {
558 int len = frag->len;
559
560 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
561
562 if (len > d->mtu)
563 return -EINVAL;
564
565 rfcomm_make_uih(frag, d->addr);
566 __skb_queue_tail(&d->tx_queue, frag);
567
568 return len;
569 }
570
571 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
572 {
573 unsigned long flags;
574 struct sk_buff *frag, *next;
575 int len;
576
577 if (d->state != BT_CONNECTED)
578 return -ENOTCONN;
579
580 frag = skb_shinfo(skb)->frag_list;
581 skb_shinfo(skb)->frag_list = NULL;
582
583 /* Queue all fragments atomically. */
584 spin_lock_irqsave(&d->tx_queue.lock, flags);
585
586 len = rfcomm_dlc_send_frag(d, skb);
587 if (len < 0 || !frag)
588 goto unlock;
589
590 for (; frag; frag = next) {
591 int ret;
592
593 next = frag->next;
594
595 ret = rfcomm_dlc_send_frag(d, frag);
596 if (ret < 0) {
597 dev_kfree_skb_irq(frag);
598 goto unlock;
599 }
600
601 len += ret;
602 }
603
604 unlock:
605 spin_unlock_irqrestore(&d->tx_queue.lock, flags);
606
607 if (len > 0 && !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
608 rfcomm_schedule();
609 return len;
610 }
611
612 void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb)
613 {
614 int len = skb->len;
615
616 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
617
618 rfcomm_make_uih(skb, d->addr);
619 skb_queue_tail(&d->tx_queue, skb);
620
621 if (d->state == BT_CONNECTED &&
622 !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
623 rfcomm_schedule();
624 }
625
626 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
627 {
628 BT_DBG("dlc %p state %ld", d, d->state);
629
630 if (!d->cfc) {
631 d->v24_sig |= RFCOMM_V24_FC;
632 set_bit(RFCOMM_MSC_PENDING, &d->flags);
633 }
634 rfcomm_schedule();
635 }
636
637 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
638 {
639 BT_DBG("dlc %p state %ld", d, d->state);
640
641 if (!d->cfc) {
642 d->v24_sig &= ~RFCOMM_V24_FC;
643 set_bit(RFCOMM_MSC_PENDING, &d->flags);
644 }
645 rfcomm_schedule();
646 }
647
648 /*
649 Set/get modem status functions use _local_ status i.e. what we report
650 to the other side.
651 Remote status is provided by dlc->modem_status() callback.
652 */
653 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
654 {
655 BT_DBG("dlc %p state %ld v24_sig 0x%x",
656 d, d->state, v24_sig);
657
658 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
659 v24_sig |= RFCOMM_V24_FC;
660 else
661 v24_sig &= ~RFCOMM_V24_FC;
662
663 d->v24_sig = v24_sig;
664
665 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
666 rfcomm_schedule();
667
668 return 0;
669 }
670
671 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
672 {
673 BT_DBG("dlc %p state %ld v24_sig 0x%x",
674 d, d->state, d->v24_sig);
675
676 *v24_sig = d->v24_sig;
677 return 0;
678 }
679
680 /* ---- RFCOMM sessions ---- */
681 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
682 {
683 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
684
685 if (!s)
686 return NULL;
687
688 BT_DBG("session %p sock %p", s, sock);
689
690 timer_setup(&s->timer, rfcomm_session_timeout, 0);
691
692 INIT_LIST_HEAD(&s->dlcs);
693 s->state = state;
694 s->sock = sock;
695
696 s->mtu = RFCOMM_DEFAULT_MTU;
697 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
698
699 /* Do not increment module usage count for listening sessions.
700 * Otherwise we won't be able to unload the module. */
701 if (state != BT_LISTEN)
702 if (!try_module_get(THIS_MODULE)) {
703 kfree(s);
704 return NULL;
705 }
706
707 list_add(&s->list, &session_list);
708
709 return s;
710 }
711
712 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
713 {
714 int state = s->state;
715
716 BT_DBG("session %p state %ld", s, s->state);
717
718 list_del(&s->list);
719
720 rfcomm_session_clear_timer(s);
721 sock_release(s->sock);
722 kfree(s);
723
724 if (state != BT_LISTEN)
725 module_put(THIS_MODULE);
726
727 return NULL;
728 }
729
730 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
731 {
732 struct rfcomm_session *s, *n;
733 struct l2cap_chan *chan;
734 list_for_each_entry_safe(s, n, &session_list, list) {
735 chan = l2cap_pi(s->sock->sk)->chan;
736
737 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) &&
738 !bacmp(&chan->dst, dst))
739 return s;
740 }
741 return NULL;
742 }
743
744 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
745 int err)
746 {
747 struct rfcomm_dlc *d, *n;
748
749 s->state = BT_CLOSED;
750
751 BT_DBG("session %p state %ld err %d", s, s->state, err);
752
753 /* Close all dlcs */
754 list_for_each_entry_safe(d, n, &s->dlcs, list) {
755 d->state = BT_CLOSED;
756 __rfcomm_dlc_close(d, err);
757 }
758
759 rfcomm_session_clear_timer(s);
760 return rfcomm_session_del(s);
761 }
762
763 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
764 bdaddr_t *dst,
765 u8 sec_level,
766 int *err)
767 {
768 struct rfcomm_session *s = NULL;
769 struct sockaddr_l2 addr;
770 struct socket *sock;
771 struct sock *sk;
772
773 BT_DBG("%pMR -> %pMR", src, dst);
774
775 *err = rfcomm_l2sock_create(&sock);
776 if (*err < 0)
777 return NULL;
778
779 bacpy(&addr.l2_bdaddr, src);
780 addr.l2_family = AF_BLUETOOTH;
781 addr.l2_psm = 0;
782 addr.l2_cid = 0;
783 addr.l2_bdaddr_type = BDADDR_BREDR;
784 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
785 if (*err < 0)
786 goto failed;
787
788 /* Set L2CAP options */
789 sk = sock->sk;
790 lock_sock(sk);
791 /* Set MTU to 0 so L2CAP can auto select the MTU */
792 l2cap_pi(sk)->chan->imtu = 0;
793 l2cap_pi(sk)->chan->sec_level = sec_level;
794 if (l2cap_ertm)
795 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
796 release_sock(sk);
797
798 s = rfcomm_session_add(sock, BT_BOUND);
799 if (!s) {
800 *err = -ENOMEM;
801 goto failed;
802 }
803
804 s->initiator = 1;
805
806 bacpy(&addr.l2_bdaddr, dst);
807 addr.l2_family = AF_BLUETOOTH;
808 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM);
809 addr.l2_cid = 0;
810 addr.l2_bdaddr_type = BDADDR_BREDR;
811 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
812 if (*err == 0 || *err == -EINPROGRESS)
813 return s;
814
815 return rfcomm_session_del(s);
816
817 failed:
818 sock_release(sock);
819 return NULL;
820 }
821
822 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
823 {
824 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
825 if (src)
826 bacpy(src, &chan->src);
827 if (dst)
828 bacpy(dst, &chan->dst);
829 }
830
831 /* ---- RFCOMM frame sending ---- */
832 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
833 {
834 struct kvec iv = { data, len };
835 struct msghdr msg;
836
837 BT_DBG("session %p len %d", s, len);
838
839 memset(&msg, 0, sizeof(msg));
840
841 return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
842 }
843
844 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
845 {
846 BT_DBG("%p cmd %u", s, cmd->ctrl);
847
848 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
849 }
850
851 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
852 {
853 struct rfcomm_cmd cmd;
854
855 BT_DBG("%p dlci %d", s, dlci);
856
857 cmd.addr = __addr(s->initiator, dlci);
858 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
859 cmd.len = __len8(0);
860 cmd.fcs = __fcs2((u8 *) &cmd);
861
862 return rfcomm_send_cmd(s, &cmd);
863 }
864
865 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
866 {
867 struct rfcomm_cmd cmd;
868
869 BT_DBG("%p dlci %d", s, dlci);
870
871 cmd.addr = __addr(!s->initiator, dlci);
872 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
873 cmd.len = __len8(0);
874 cmd.fcs = __fcs2((u8 *) &cmd);
875
876 return rfcomm_send_cmd(s, &cmd);
877 }
878
879 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
880 {
881 struct rfcomm_cmd cmd;
882
883 BT_DBG("%p dlci %d", s, dlci);
884
885 cmd.addr = __addr(s->initiator, dlci);
886 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
887 cmd.len = __len8(0);
888 cmd.fcs = __fcs2((u8 *) &cmd);
889
890 return rfcomm_send_cmd(s, &cmd);
891 }
892
893 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
894 {
895 struct rfcomm_cmd *cmd;
896 struct sk_buff *skb;
897
898 BT_DBG("dlc %p dlci %d", d, d->dlci);
899
900 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
901 if (!skb)
902 return -ENOMEM;
903
904 cmd = __skb_put(skb, sizeof(*cmd));
905 cmd->addr = d->addr;
906 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
907 cmd->len = __len8(0);
908 cmd->fcs = __fcs2((u8 *) cmd);
909
910 skb_queue_tail(&d->tx_queue, skb);
911 rfcomm_schedule();
912 return 0;
913 }
914
915 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
916 {
917 struct rfcomm_cmd cmd;
918
919 BT_DBG("%p dlci %d", s, dlci);
920
921 cmd.addr = __addr(!s->initiator, dlci);
922 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
923 cmd.len = __len8(0);
924 cmd.fcs = __fcs2((u8 *) &cmd);
925
926 return rfcomm_send_cmd(s, &cmd);
927 }
928
929 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
930 {
931 struct rfcomm_hdr *hdr;
932 struct rfcomm_mcc *mcc;
933 u8 buf[16], *ptr = buf;
934
935 BT_DBG("%p cr %d type %d", s, cr, type);
936
937 hdr = (void *) ptr; ptr += sizeof(*hdr);
938 hdr->addr = __addr(s->initiator, 0);
939 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
940 hdr->len = __len8(sizeof(*mcc) + 1);
941
942 mcc = (void *) ptr; ptr += sizeof(*mcc);
943 mcc->type = __mcc_type(0, RFCOMM_NSC);
944 mcc->len = __len8(1);
945
946 /* Type that we didn't like */
947 *ptr = __mcc_type(cr, type); ptr++;
948
949 *ptr = __fcs(buf); ptr++;
950
951 return rfcomm_send_frame(s, buf, ptr - buf);
952 }
953
954 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
955 {
956 struct rfcomm_hdr *hdr;
957 struct rfcomm_mcc *mcc;
958 struct rfcomm_pn *pn;
959 u8 buf[16], *ptr = buf;
960
961 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
962
963 hdr = (void *) ptr; ptr += sizeof(*hdr);
964 hdr->addr = __addr(s->initiator, 0);
965 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
966 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
967
968 mcc = (void *) ptr; ptr += sizeof(*mcc);
969 mcc->type = __mcc_type(cr, RFCOMM_PN);
970 mcc->len = __len8(sizeof(*pn));
971
972 pn = (void *) ptr; ptr += sizeof(*pn);
973 pn->dlci = d->dlci;
974 pn->priority = d->priority;
975 pn->ack_timer = 0;
976 pn->max_retrans = 0;
977
978 if (s->cfc) {
979 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
980 pn->credits = RFCOMM_DEFAULT_CREDITS;
981 } else {
982 pn->flow_ctrl = 0;
983 pn->credits = 0;
984 }
985
986 if (cr && channel_mtu >= 0)
987 pn->mtu = cpu_to_le16(channel_mtu);
988 else
989 pn->mtu = cpu_to_le16(d->mtu);
990
991 *ptr = __fcs(buf); ptr++;
992
993 return rfcomm_send_frame(s, buf, ptr - buf);
994 }
995
996 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
997 u8 bit_rate, u8 data_bits, u8 stop_bits,
998 u8 parity, u8 flow_ctrl_settings,
999 u8 xon_char, u8 xoff_char, u16 param_mask)
1000 {
1001 struct rfcomm_hdr *hdr;
1002 struct rfcomm_mcc *mcc;
1003 struct rfcomm_rpn *rpn;
1004 u8 buf[16], *ptr = buf;
1005
1006 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
1007 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
1008 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
1009 flow_ctrl_settings, xon_char, xoff_char, param_mask);
1010
1011 hdr = (void *) ptr; ptr += sizeof(*hdr);
1012 hdr->addr = __addr(s->initiator, 0);
1013 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1014 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
1015
1016 mcc = (void *) ptr; ptr += sizeof(*mcc);
1017 mcc->type = __mcc_type(cr, RFCOMM_RPN);
1018 mcc->len = __len8(sizeof(*rpn));
1019
1020 rpn = (void *) ptr; ptr += sizeof(*rpn);
1021 rpn->dlci = __addr(1, dlci);
1022 rpn->bit_rate = bit_rate;
1023 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
1024 rpn->flow_ctrl = flow_ctrl_settings;
1025 rpn->xon_char = xon_char;
1026 rpn->xoff_char = xoff_char;
1027 rpn->param_mask = cpu_to_le16(param_mask);
1028
1029 *ptr = __fcs(buf); ptr++;
1030
1031 return rfcomm_send_frame(s, buf, ptr - buf);
1032 }
1033
1034 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
1035 {
1036 struct rfcomm_hdr *hdr;
1037 struct rfcomm_mcc *mcc;
1038 struct rfcomm_rls *rls;
1039 u8 buf[16], *ptr = buf;
1040
1041 BT_DBG("%p cr %d status 0x%x", s, cr, status);
1042
1043 hdr = (void *) ptr; ptr += sizeof(*hdr);
1044 hdr->addr = __addr(s->initiator, 0);
1045 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1046 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
1047
1048 mcc = (void *) ptr; ptr += sizeof(*mcc);
1049 mcc->type = __mcc_type(cr, RFCOMM_RLS);
1050 mcc->len = __len8(sizeof(*rls));
1051
1052 rls = (void *) ptr; ptr += sizeof(*rls);
1053 rls->dlci = __addr(1, dlci);
1054 rls->status = status;
1055
1056 *ptr = __fcs(buf); ptr++;
1057
1058 return rfcomm_send_frame(s, buf, ptr - buf);
1059 }
1060
1061 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
1062 {
1063 struct rfcomm_hdr *hdr;
1064 struct rfcomm_mcc *mcc;
1065 struct rfcomm_msc *msc;
1066 u8 buf[16], *ptr = buf;
1067
1068 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
1069
1070 hdr = (void *) ptr; ptr += sizeof(*hdr);
1071 hdr->addr = __addr(s->initiator, 0);
1072 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1073 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
1074
1075 mcc = (void *) ptr; ptr += sizeof(*mcc);
1076 mcc->type = __mcc_type(cr, RFCOMM_MSC);
1077 mcc->len = __len8(sizeof(*msc));
1078
1079 msc = (void *) ptr; ptr += sizeof(*msc);
1080 msc->dlci = __addr(1, dlci);
1081 msc->v24_sig = v24_sig | 0x01;
1082
1083 *ptr = __fcs(buf); ptr++;
1084
1085 return rfcomm_send_frame(s, buf, ptr - buf);
1086 }
1087
1088 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1089 {
1090 struct rfcomm_hdr *hdr;
1091 struct rfcomm_mcc *mcc;
1092 u8 buf[16], *ptr = buf;
1093
1094 BT_DBG("%p cr %d", s, cr);
1095
1096 hdr = (void *) ptr; ptr += sizeof(*hdr);
1097 hdr->addr = __addr(s->initiator, 0);
1098 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1099 hdr->len = __len8(sizeof(*mcc));
1100
1101 mcc = (void *) ptr; ptr += sizeof(*mcc);
1102 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1103 mcc->len = __len8(0);
1104
1105 *ptr = __fcs(buf); ptr++;
1106
1107 return rfcomm_send_frame(s, buf, ptr - buf);
1108 }
1109
1110 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1111 {
1112 struct rfcomm_hdr *hdr;
1113 struct rfcomm_mcc *mcc;
1114 u8 buf[16], *ptr = buf;
1115
1116 BT_DBG("%p cr %d", s, cr);
1117
1118 hdr = (void *) ptr; ptr += sizeof(*hdr);
1119 hdr->addr = __addr(s->initiator, 0);
1120 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1121 hdr->len = __len8(sizeof(*mcc));
1122
1123 mcc = (void *) ptr; ptr += sizeof(*mcc);
1124 mcc->type = __mcc_type(cr, RFCOMM_FCON);
1125 mcc->len = __len8(0);
1126
1127 *ptr = __fcs(buf); ptr++;
1128
1129 return rfcomm_send_frame(s, buf, ptr - buf);
1130 }
1131
1132 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1133 {
1134 struct socket *sock = s->sock;
1135 struct kvec iv[3];
1136 struct msghdr msg;
1137 unsigned char hdr[5], crc[1];
1138
1139 if (len > 125)
1140 return -EINVAL;
1141
1142 BT_DBG("%p cr %d", s, cr);
1143
1144 hdr[0] = __addr(s->initiator, 0);
1145 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1146 hdr[2] = 0x01 | ((len + 2) << 1);
1147 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1148 hdr[4] = 0x01 | (len << 1);
1149
1150 crc[0] = __fcs(hdr);
1151
1152 iv[0].iov_base = hdr;
1153 iv[0].iov_len = 5;
1154 iv[1].iov_base = pattern;
1155 iv[1].iov_len = len;
1156 iv[2].iov_base = crc;
1157 iv[2].iov_len = 1;
1158
1159 memset(&msg, 0, sizeof(msg));
1160
1161 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1162 }
1163
1164 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1165 {
1166 struct rfcomm_hdr *hdr;
1167 u8 buf[16], *ptr = buf;
1168
1169 BT_DBG("%p addr %d credits %d", s, addr, credits);
1170
1171 hdr = (void *) ptr; ptr += sizeof(*hdr);
1172 hdr->addr = addr;
1173 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1174 hdr->len = __len8(0);
1175
1176 *ptr = credits; ptr++;
1177
1178 *ptr = __fcs(buf); ptr++;
1179
1180 return rfcomm_send_frame(s, buf, ptr - buf);
1181 }
1182
1183 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1184 {
1185 struct rfcomm_hdr *hdr;
1186 int len = skb->len;
1187 u8 *crc;
1188
1189 if (len > 127) {
1190 hdr = skb_push(skb, 4);
1191 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1192 } else {
1193 hdr = skb_push(skb, 3);
1194 hdr->len = __len8(len);
1195 }
1196 hdr->addr = addr;
1197 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1198
1199 crc = skb_put(skb, 1);
1200 *crc = __fcs((void *) hdr);
1201 }
1202
1203 /* ---- RFCOMM frame reception ---- */
1204 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1205 {
1206 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1207
1208 if (dlci) {
1209 /* Data channel */
1210 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1211 if (!d) {
1212 rfcomm_send_dm(s, dlci);
1213 return s;
1214 }
1215
1216 switch (d->state) {
1217 case BT_CONNECT:
1218 rfcomm_dlc_clear_timer(d);
1219
1220 rfcomm_dlc_lock(d);
1221 d->state = BT_CONNECTED;
1222 d->state_change(d, 0);
1223 rfcomm_dlc_unlock(d);
1224
1225 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1226 break;
1227
1228 case BT_DISCONN:
1229 d->state = BT_CLOSED;
1230 __rfcomm_dlc_close(d, 0);
1231
1232 if (list_empty(&s->dlcs)) {
1233 s->state = BT_DISCONN;
1234 rfcomm_send_disc(s, 0);
1235 rfcomm_session_clear_timer(s);
1236 }
1237
1238 break;
1239 }
1240 } else {
1241 /* Control channel */
1242 switch (s->state) {
1243 case BT_CONNECT:
1244 s->state = BT_CONNECTED;
1245 rfcomm_process_connect(s);
1246 break;
1247
1248 case BT_DISCONN:
1249 s = rfcomm_session_close(s, ECONNRESET);
1250 break;
1251 }
1252 }
1253 return s;
1254 }
1255
1256 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1257 {
1258 int err = 0;
1259
1260 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1261
1262 if (dlci) {
1263 /* Data DLC */
1264 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1265 if (d) {
1266 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1267 err = ECONNREFUSED;
1268 else
1269 err = ECONNRESET;
1270
1271 d->state = BT_CLOSED;
1272 __rfcomm_dlc_close(d, err);
1273 }
1274 } else {
1275 if (s->state == BT_CONNECT)
1276 err = ECONNREFUSED;
1277 else
1278 err = ECONNRESET;
1279
1280 s = rfcomm_session_close(s, err);
1281 }
1282 return s;
1283 }
1284
1285 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1286 u8 dlci)
1287 {
1288 int err = 0;
1289
1290 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1291
1292 if (dlci) {
1293 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1294 if (d) {
1295 rfcomm_send_ua(s, dlci);
1296
1297 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1298 err = ECONNREFUSED;
1299 else
1300 err = ECONNRESET;
1301
1302 d->state = BT_CLOSED;
1303 __rfcomm_dlc_close(d, err);
1304 } else
1305 rfcomm_send_dm(s, dlci);
1306
1307 } else {
1308 rfcomm_send_ua(s, 0);
1309
1310 if (s->state == BT_CONNECT)
1311 err = ECONNREFUSED;
1312 else
1313 err = ECONNRESET;
1314
1315 s = rfcomm_session_close(s, err);
1316 }
1317 return s;
1318 }
1319
1320 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1321 {
1322 struct sock *sk = d->session->sock->sk;
1323 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1324
1325 BT_DBG("dlc %p", d);
1326
1327 rfcomm_send_ua(d->session, d->dlci);
1328
1329 rfcomm_dlc_clear_timer(d);
1330
1331 rfcomm_dlc_lock(d);
1332 d->state = BT_CONNECTED;
1333 d->state_change(d, 0);
1334 rfcomm_dlc_unlock(d);
1335
1336 if (d->role_switch)
1337 hci_conn_switch_role(conn->hcon, 0x00);
1338
1339 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1340 }
1341
1342 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1343 {
1344 if (rfcomm_check_security(d)) {
1345 if (d->defer_setup) {
1346 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1347 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1348
1349 rfcomm_dlc_lock(d);
1350 d->state = BT_CONNECT2;
1351 d->state_change(d, 0);
1352 rfcomm_dlc_unlock(d);
1353 } else
1354 rfcomm_dlc_accept(d);
1355 } else {
1356 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1357 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1358 }
1359 }
1360
1361 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1362 {
1363 struct rfcomm_dlc *d;
1364 u8 channel;
1365
1366 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1367
1368 if (!dlci) {
1369 rfcomm_send_ua(s, 0);
1370
1371 if (s->state == BT_OPEN) {
1372 s->state = BT_CONNECTED;
1373 rfcomm_process_connect(s);
1374 }
1375 return 0;
1376 }
1377
1378 /* Check if DLC exists */
1379 d = rfcomm_dlc_get(s, dlci);
1380 if (d) {
1381 if (d->state == BT_OPEN) {
1382 /* DLC was previously opened by PN request */
1383 rfcomm_check_accept(d);
1384 }
1385 return 0;
1386 }
1387
1388 /* Notify socket layer about incoming connection */
1389 channel = __srv_channel(dlci);
1390 if (rfcomm_connect_ind(s, channel, &d)) {
1391 d->dlci = dlci;
1392 d->addr = __addr(s->initiator, dlci);
1393 rfcomm_dlc_link(s, d);
1394
1395 rfcomm_check_accept(d);
1396 } else {
1397 rfcomm_send_dm(s, dlci);
1398 }
1399
1400 return 0;
1401 }
1402
1403 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1404 {
1405 struct rfcomm_session *s = d->session;
1406
1407 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1408 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1409
1410 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1411 pn->flow_ctrl == 0xe0) {
1412 d->cfc = RFCOMM_CFC_ENABLED;
1413 d->tx_credits = pn->credits;
1414 } else {
1415 d->cfc = RFCOMM_CFC_DISABLED;
1416 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1417 }
1418
1419 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1420 s->cfc = d->cfc;
1421
1422 d->priority = pn->priority;
1423
1424 d->mtu = __le16_to_cpu(pn->mtu);
1425
1426 if (cr && d->mtu > s->mtu)
1427 d->mtu = s->mtu;
1428
1429 return 0;
1430 }
1431
1432 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1433 {
1434 struct rfcomm_pn *pn = (void *) skb->data;
1435 struct rfcomm_dlc *d;
1436 u8 dlci = pn->dlci;
1437
1438 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1439
1440 if (!dlci)
1441 return 0;
1442
1443 d = rfcomm_dlc_get(s, dlci);
1444 if (d) {
1445 if (cr) {
1446 /* PN request */
1447 rfcomm_apply_pn(d, cr, pn);
1448 rfcomm_send_pn(s, 0, d);
1449 } else {
1450 /* PN response */
1451 switch (d->state) {
1452 case BT_CONFIG:
1453 rfcomm_apply_pn(d, cr, pn);
1454
1455 d->state = BT_CONNECT;
1456 rfcomm_send_sabm(s, d->dlci);
1457 break;
1458 }
1459 }
1460 } else {
1461 u8 channel = __srv_channel(dlci);
1462
1463 if (!cr)
1464 return 0;
1465
1466 /* PN request for non existing DLC.
1467 * Assume incoming connection. */
1468 if (rfcomm_connect_ind(s, channel, &d)) {
1469 d->dlci = dlci;
1470 d->addr = __addr(s->initiator, dlci);
1471 rfcomm_dlc_link(s, d);
1472
1473 rfcomm_apply_pn(d, cr, pn);
1474
1475 d->state = BT_OPEN;
1476 rfcomm_send_pn(s, 0, d);
1477 } else {
1478 rfcomm_send_dm(s, dlci);
1479 }
1480 }
1481 return 0;
1482 }
1483
1484 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1485 {
1486 struct rfcomm_rpn *rpn = (void *) skb->data;
1487 u8 dlci = __get_dlci(rpn->dlci);
1488
1489 u8 bit_rate = 0;
1490 u8 data_bits = 0;
1491 u8 stop_bits = 0;
1492 u8 parity = 0;
1493 u8 flow_ctrl = 0;
1494 u8 xon_char = 0;
1495 u8 xoff_char = 0;
1496 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1497
1498 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1499 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1500 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1501
1502 if (!cr)
1503 return 0;
1504
1505 if (len == 1) {
1506 /* This is a request, return default (according to ETSI TS 07.10) settings */
1507 bit_rate = RFCOMM_RPN_BR_9600;
1508 data_bits = RFCOMM_RPN_DATA_8;
1509 stop_bits = RFCOMM_RPN_STOP_1;
1510 parity = RFCOMM_RPN_PARITY_NONE;
1511 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1512 xon_char = RFCOMM_RPN_XON_CHAR;
1513 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1514 goto rpn_out;
1515 }
1516
1517 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1518 * no parity, no flow control lines, normal XON/XOFF chars */
1519
1520 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1521 bit_rate = rpn->bit_rate;
1522 if (bit_rate > RFCOMM_RPN_BR_230400) {
1523 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1524 bit_rate = RFCOMM_RPN_BR_9600;
1525 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1526 }
1527 }
1528
1529 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1530 data_bits = __get_rpn_data_bits(rpn->line_settings);
1531 if (data_bits != RFCOMM_RPN_DATA_8) {
1532 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1533 data_bits = RFCOMM_RPN_DATA_8;
1534 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1535 }
1536 }
1537
1538 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1539 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1540 if (stop_bits != RFCOMM_RPN_STOP_1) {
1541 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1542 stop_bits = RFCOMM_RPN_STOP_1;
1543 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1544 }
1545 }
1546
1547 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1548 parity = __get_rpn_parity(rpn->line_settings);
1549 if (parity != RFCOMM_RPN_PARITY_NONE) {
1550 BT_DBG("RPN parity mismatch 0x%x", parity);
1551 parity = RFCOMM_RPN_PARITY_NONE;
1552 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1553 }
1554 }
1555
1556 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1557 flow_ctrl = rpn->flow_ctrl;
1558 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1559 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1560 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1561 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1562 }
1563 }
1564
1565 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1566 xon_char = rpn->xon_char;
1567 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1568 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1569 xon_char = RFCOMM_RPN_XON_CHAR;
1570 rpn_mask ^= RFCOMM_RPN_PM_XON;
1571 }
1572 }
1573
1574 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1575 xoff_char = rpn->xoff_char;
1576 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1577 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1578 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1579 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1580 }
1581 }
1582
1583 rpn_out:
1584 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1585 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1586
1587 return 0;
1588 }
1589
1590 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1591 {
1592 struct rfcomm_rls *rls = (void *) skb->data;
1593 u8 dlci = __get_dlci(rls->dlci);
1594
1595 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1596
1597 if (!cr)
1598 return 0;
1599
1600 /* We should probably do something with this information here. But
1601 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1602 * mandatory to recognise and respond to RLS */
1603
1604 rfcomm_send_rls(s, 0, dlci, rls->status);
1605
1606 return 0;
1607 }
1608
1609 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1610 {
1611 struct rfcomm_msc *msc = (void *) skb->data;
1612 struct rfcomm_dlc *d;
1613 u8 dlci = __get_dlci(msc->dlci);
1614
1615 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1616
1617 d = rfcomm_dlc_get(s, dlci);
1618 if (!d)
1619 return 0;
1620
1621 if (cr) {
1622 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1623 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1624 else
1625 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1626
1627 rfcomm_dlc_lock(d);
1628
1629 d->remote_v24_sig = msc->v24_sig;
1630
1631 if (d->modem_status)
1632 d->modem_status(d, msc->v24_sig);
1633
1634 rfcomm_dlc_unlock(d);
1635
1636 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1637
1638 d->mscex |= RFCOMM_MSCEX_RX;
1639 } else
1640 d->mscex |= RFCOMM_MSCEX_TX;
1641
1642 return 0;
1643 }
1644
1645 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1646 {
1647 struct rfcomm_mcc *mcc = (void *) skb->data;
1648 u8 type, cr, len;
1649
1650 cr = __test_cr(mcc->type);
1651 type = __get_mcc_type(mcc->type);
1652 len = __get_mcc_len(mcc->len);
1653
1654 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1655
1656 skb_pull(skb, 2);
1657
1658 switch (type) {
1659 case RFCOMM_PN:
1660 rfcomm_recv_pn(s, cr, skb);
1661 break;
1662
1663 case RFCOMM_RPN:
1664 rfcomm_recv_rpn(s, cr, len, skb);
1665 break;
1666
1667 case RFCOMM_RLS:
1668 rfcomm_recv_rls(s, cr, skb);
1669 break;
1670
1671 case RFCOMM_MSC:
1672 rfcomm_recv_msc(s, cr, skb);
1673 break;
1674
1675 case RFCOMM_FCOFF:
1676 if (cr) {
1677 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1678 rfcomm_send_fcoff(s, 0);
1679 }
1680 break;
1681
1682 case RFCOMM_FCON:
1683 if (cr) {
1684 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1685 rfcomm_send_fcon(s, 0);
1686 }
1687 break;
1688
1689 case RFCOMM_TEST:
1690 if (cr)
1691 rfcomm_send_test(s, 0, skb->data, skb->len);
1692 break;
1693
1694 case RFCOMM_NSC:
1695 break;
1696
1697 default:
1698 BT_ERR("Unknown control type 0x%02x", type);
1699 rfcomm_send_nsc(s, cr, type);
1700 break;
1701 }
1702 return 0;
1703 }
1704
1705 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1706 {
1707 struct rfcomm_dlc *d;
1708
1709 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1710
1711 d = rfcomm_dlc_get(s, dlci);
1712 if (!d) {
1713 rfcomm_send_dm(s, dlci);
1714 goto drop;
1715 }
1716
1717 if (pf && d->cfc) {
1718 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1719
1720 d->tx_credits += credits;
1721 if (d->tx_credits)
1722 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1723 }
1724
1725 if (skb->len && d->state == BT_CONNECTED) {
1726 rfcomm_dlc_lock(d);
1727 d->rx_credits--;
1728 d->data_ready(d, skb);
1729 rfcomm_dlc_unlock(d);
1730 return 0;
1731 }
1732
1733 drop:
1734 kfree_skb(skb);
1735 return 0;
1736 }
1737
1738 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1739 struct sk_buff *skb)
1740 {
1741 struct rfcomm_hdr *hdr = (void *) skb->data;
1742 u8 type, dlci, fcs;
1743
1744 if (!s) {
1745 /* no session, so free socket data */
1746 kfree_skb(skb);
1747 return s;
1748 }
1749
1750 dlci = __get_dlci(hdr->addr);
1751 type = __get_type(hdr->ctrl);
1752
1753 /* Trim FCS */
1754 skb->len--; skb->tail--;
1755 fcs = *(u8 *)skb_tail_pointer(skb);
1756
1757 if (__check_fcs(skb->data, type, fcs)) {
1758 BT_ERR("bad checksum in packet");
1759 kfree_skb(skb);
1760 return s;
1761 }
1762
1763 if (__test_ea(hdr->len))
1764 skb_pull(skb, 3);
1765 else
1766 skb_pull(skb, 4);
1767
1768 switch (type) {
1769 case RFCOMM_SABM:
1770 if (__test_pf(hdr->ctrl))
1771 rfcomm_recv_sabm(s, dlci);
1772 break;
1773
1774 case RFCOMM_DISC:
1775 if (__test_pf(hdr->ctrl))
1776 s = rfcomm_recv_disc(s, dlci);
1777 break;
1778
1779 case RFCOMM_UA:
1780 if (__test_pf(hdr->ctrl))
1781 s = rfcomm_recv_ua(s, dlci);
1782 break;
1783
1784 case RFCOMM_DM:
1785 s = rfcomm_recv_dm(s, dlci);
1786 break;
1787
1788 case RFCOMM_UIH:
1789 if (dlci) {
1790 rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1791 return s;
1792 }
1793 rfcomm_recv_mcc(s, skb);
1794 break;
1795
1796 default:
1797 BT_ERR("Unknown packet type 0x%02x", type);
1798 break;
1799 }
1800 kfree_skb(skb);
1801 return s;
1802 }
1803
1804 /* ---- Connection and data processing ---- */
1805
1806 static void rfcomm_process_connect(struct rfcomm_session *s)
1807 {
1808 struct rfcomm_dlc *d, *n;
1809
1810 BT_DBG("session %p state %ld", s, s->state);
1811
1812 list_for_each_entry_safe(d, n, &s->dlcs, list) {
1813 if (d->state == BT_CONFIG) {
1814 d->mtu = s->mtu;
1815 if (rfcomm_check_security(d)) {
1816 rfcomm_send_pn(s, 1, d);
1817 } else {
1818 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1819 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1820 }
1821 }
1822 }
1823 }
1824
1825 /* Send data queued for the DLC.
1826 * Return number of frames left in the queue.
1827 */
1828 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1829 {
1830 struct sk_buff *skb;
1831 int err;
1832
1833 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1834 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1835
1836 /* Send pending MSC */
1837 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1838 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1839
1840 if (d->cfc) {
1841 /* CFC enabled.
1842 * Give them some credits */
1843 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1844 d->rx_credits <= (d->cfc >> 2)) {
1845 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1846 d->rx_credits = d->cfc;
1847 }
1848 } else {
1849 /* CFC disabled.
1850 * Give ourselves some credits */
1851 d->tx_credits = 5;
1852 }
1853
1854 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1855 return skb_queue_len(&d->tx_queue);
1856
1857 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1858 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1859 if (err < 0) {
1860 skb_queue_head(&d->tx_queue, skb);
1861 break;
1862 }
1863 kfree_skb(skb);
1864 d->tx_credits--;
1865 }
1866
1867 if (d->cfc && !d->tx_credits) {
1868 /* We're out of TX credits.
1869 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1870 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1871 }
1872
1873 return skb_queue_len(&d->tx_queue);
1874 }
1875
1876 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1877 {
1878 struct rfcomm_dlc *d, *n;
1879
1880 BT_DBG("session %p state %ld", s, s->state);
1881
1882 list_for_each_entry_safe(d, n, &s->dlcs, list) {
1883 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1884 __rfcomm_dlc_close(d, ETIMEDOUT);
1885 continue;
1886 }
1887
1888 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1889 __rfcomm_dlc_close(d, ECONNREFUSED);
1890 continue;
1891 }
1892
1893 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1894 rfcomm_dlc_clear_timer(d);
1895 if (d->out) {
1896 rfcomm_send_pn(s, 1, d);
1897 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1898 } else {
1899 if (d->defer_setup) {
1900 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1901 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1902
1903 rfcomm_dlc_lock(d);
1904 d->state = BT_CONNECT2;
1905 d->state_change(d, 0);
1906 rfcomm_dlc_unlock(d);
1907 } else
1908 rfcomm_dlc_accept(d);
1909 }
1910 continue;
1911 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1912 rfcomm_dlc_clear_timer(d);
1913 if (!d->out)
1914 rfcomm_send_dm(s, d->dlci);
1915 else
1916 d->state = BT_CLOSED;
1917 __rfcomm_dlc_close(d, ECONNREFUSED);
1918 continue;
1919 }
1920
1921 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1922 continue;
1923
1924 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1925 continue;
1926
1927 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1928 d->mscex == RFCOMM_MSCEX_OK)
1929 rfcomm_process_tx(d);
1930 }
1931 }
1932
1933 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1934 {
1935 struct socket *sock = s->sock;
1936 struct sock *sk = sock->sk;
1937 struct sk_buff *skb;
1938
1939 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1940
1941 /* Get data directly from socket receive queue without copying it. */
1942 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1943 skb_orphan(skb);
1944 if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) {
1945 s = rfcomm_recv_frame(s, skb);
1946 if (!s)
1947 break;
1948 } else {
1949 kfree_skb(skb);
1950 }
1951 }
1952
1953 if (s && (sk->sk_state == BT_CLOSED))
1954 s = rfcomm_session_close(s, sk->sk_err);
1955
1956 return s;
1957 }
1958
1959 static void rfcomm_accept_connection(struct rfcomm_session *s)
1960 {
1961 struct socket *sock = s->sock, *nsock;
1962 int err;
1963
1964 /* Fast check for a new connection.
1965 * Avoids unnesesary socket allocations. */
1966 if (list_empty(&bt_sk(sock->sk)->accept_q))
1967 return;
1968
1969 BT_DBG("session %p", s);
1970
1971 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1972 if (err < 0)
1973 return;
1974
1975 /* Set our callbacks */
1976 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1977 nsock->sk->sk_state_change = rfcomm_l2state_change;
1978
1979 s = rfcomm_session_add(nsock, BT_OPEN);
1980 if (s) {
1981 /* We should adjust MTU on incoming sessions.
1982 * L2CAP MTU minus UIH header and FCS. */
1983 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1984 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1985
1986 rfcomm_schedule();
1987 } else
1988 sock_release(nsock);
1989 }
1990
1991 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1992 {
1993 struct sock *sk = s->sock->sk;
1994
1995 BT_DBG("%p state %ld", s, s->state);
1996
1997 switch (sk->sk_state) {
1998 case BT_CONNECTED:
1999 s->state = BT_CONNECT;
2000
2001 /* We can adjust MTU on outgoing sessions.
2002 * L2CAP MTU minus UIH header and FCS. */
2003 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
2004
2005 rfcomm_send_sabm(s, 0);
2006 break;
2007
2008 case BT_CLOSED:
2009 s = rfcomm_session_close(s, sk->sk_err);
2010 break;
2011 }
2012 return s;
2013 }
2014
2015 static void rfcomm_process_sessions(void)
2016 {
2017 struct rfcomm_session *s, *n;
2018
2019 rfcomm_lock();
2020
2021 list_for_each_entry_safe(s, n, &session_list, list) {
2022 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
2023 s->state = BT_DISCONN;
2024 rfcomm_send_disc(s, 0);
2025 continue;
2026 }
2027
2028 switch (s->state) {
2029 case BT_LISTEN:
2030 rfcomm_accept_connection(s);
2031 continue;
2032
2033 case BT_BOUND:
2034 s = rfcomm_check_connection(s);
2035 break;
2036
2037 default:
2038 s = rfcomm_process_rx(s);
2039 break;
2040 }
2041
2042 if (s)
2043 rfcomm_process_dlcs(s);
2044 }
2045
2046 rfcomm_unlock();
2047 }
2048
2049 static int rfcomm_add_listener(bdaddr_t *ba)
2050 {
2051 struct sockaddr_l2 addr;
2052 struct socket *sock;
2053 struct sock *sk;
2054 struct rfcomm_session *s;
2055 int err = 0;
2056
2057 /* Create socket */
2058 err = rfcomm_l2sock_create(&sock);
2059 if (err < 0) {
2060 BT_ERR("Create socket failed %d", err);
2061 return err;
2062 }
2063
2064 /* Bind socket */
2065 bacpy(&addr.l2_bdaddr, ba);
2066 addr.l2_family = AF_BLUETOOTH;
2067 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM);
2068 addr.l2_cid = 0;
2069 addr.l2_bdaddr_type = BDADDR_BREDR;
2070 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2071 if (err < 0) {
2072 BT_ERR("Bind failed %d", err);
2073 goto failed;
2074 }
2075
2076 /* Set L2CAP options */
2077 sk = sock->sk;
2078 lock_sock(sk);
2079 /* Set MTU to 0 so L2CAP can auto select the MTU */
2080 l2cap_pi(sk)->chan->imtu = 0;
2081 release_sock(sk);
2082
2083 /* Start listening on the socket */
2084 err = kernel_listen(sock, 10);
2085 if (err) {
2086 BT_ERR("Listen failed %d", err);
2087 goto failed;
2088 }
2089
2090 /* Add listening session */
2091 s = rfcomm_session_add(sock, BT_LISTEN);
2092 if (!s) {
2093 err = -ENOMEM;
2094 goto failed;
2095 }
2096
2097 return 0;
2098 failed:
2099 sock_release(sock);
2100 return err;
2101 }
2102
2103 static void rfcomm_kill_listener(void)
2104 {
2105 struct rfcomm_session *s, *n;
2106
2107 BT_DBG("");
2108
2109 list_for_each_entry_safe(s, n, &session_list, list)
2110 rfcomm_session_del(s);
2111 }
2112
2113 static int rfcomm_run(void *unused)
2114 {
2115 DEFINE_WAIT_FUNC(wait, woken_wake_function);
2116 BT_DBG("");
2117
2118 set_user_nice(current, -10);
2119
2120 rfcomm_add_listener(BDADDR_ANY);
2121
2122 add_wait_queue(&rfcomm_wq, &wait);
2123 while (!kthread_should_stop()) {
2124
2125 /* Process stuff */
2126 rfcomm_process_sessions();
2127
2128 wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
2129 }
2130 remove_wait_queue(&rfcomm_wq, &wait);
2131
2132 rfcomm_kill_listener();
2133
2134 return 0;
2135 }
2136
2137 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2138 {
2139 struct rfcomm_session *s;
2140 struct rfcomm_dlc *d, *n;
2141
2142 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2143
2144 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2145 if (!s)
2146 return;
2147
2148 list_for_each_entry_safe(d, n, &s->dlcs, list) {
2149 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2150 rfcomm_dlc_clear_timer(d);
2151 if (status || encrypt == 0x00) {
2152 set_bit(RFCOMM_ENC_DROP, &d->flags);
2153 continue;
2154 }
2155 }
2156
2157 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2158 if (d->sec_level == BT_SECURITY_MEDIUM) {
2159 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2160 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2161 continue;
2162 } else if (d->sec_level == BT_SECURITY_HIGH ||
2163 d->sec_level == BT_SECURITY_FIPS) {
2164 set_bit(RFCOMM_ENC_DROP, &d->flags);
2165 continue;
2166 }
2167 }
2168
2169 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2170 continue;
2171
2172 if (!status && hci_conn_check_secure(conn, d->sec_level))
2173 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2174 else
2175 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2176 }
2177
2178 rfcomm_schedule();
2179 }
2180
2181 static struct hci_cb rfcomm_cb = {
2182 .name = "RFCOMM",
2183 .security_cfm = rfcomm_security_cfm
2184 };
2185
2186 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2187 {
2188 struct rfcomm_session *s;
2189
2190 rfcomm_lock();
2191
2192 list_for_each_entry(s, &session_list, list) {
2193 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
2194 struct rfcomm_dlc *d;
2195 list_for_each_entry(d, &s->dlcs, list) {
2196 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2197 &chan->src, &chan->dst,
2198 d->state, d->dlci, d->mtu,
2199 d->rx_credits, d->tx_credits);
2200 }
2201 }
2202
2203 rfcomm_unlock();
2204
2205 return 0;
2206 }
2207
2208 DEFINE_SHOW_ATTRIBUTE(rfcomm_dlc_debugfs);
2209
2210 static struct dentry *rfcomm_dlc_debugfs;
2211
2212 /* ---- Initialization ---- */
2213 static int __init rfcomm_init(void)
2214 {
2215 int err;
2216
2217 hci_register_cb(&rfcomm_cb);
2218
2219 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2220 if (IS_ERR(rfcomm_thread)) {
2221 err = PTR_ERR(rfcomm_thread);
2222 goto unregister;
2223 }
2224
2225 err = rfcomm_init_ttys();
2226 if (err < 0)
2227 goto stop;
2228
2229 err = rfcomm_init_sockets();
2230 if (err < 0)
2231 goto cleanup;
2232
2233 BT_INFO("RFCOMM ver %s", VERSION);
2234
2235 if (IS_ERR_OR_NULL(bt_debugfs))
2236 return 0;
2237
2238 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2239 bt_debugfs, NULL,
2240 &rfcomm_dlc_debugfs_fops);
2241
2242 return 0;
2243
2244 cleanup:
2245 rfcomm_cleanup_ttys();
2246
2247 stop:
2248 kthread_stop(rfcomm_thread);
2249
2250 unregister:
2251 hci_unregister_cb(&rfcomm_cb);
2252
2253 return err;
2254 }
2255
2256 static void __exit rfcomm_exit(void)
2257 {
2258 debugfs_remove(rfcomm_dlc_debugfs);
2259
2260 hci_unregister_cb(&rfcomm_cb);
2261
2262 kthread_stop(rfcomm_thread);
2263
2264 rfcomm_cleanup_ttys();
2265
2266 rfcomm_cleanup_sockets();
2267 }
2268
2269 module_init(rfcomm_init);
2270 module_exit(rfcomm_exit);
2271
2272 module_param(disable_cfc, bool, 0644);
2273 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2274
2275 module_param(channel_mtu, int, 0644);
2276 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2277
2278 module_param(l2cap_ertm, bool, 0644);
2279 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2280
2281 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2282 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2283 MODULE_VERSION(VERSION);
2284 MODULE_LICENSE("GPL");
2285 MODULE_ALIAS("bt-proto-3");
2286
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.