Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
core.c
Go to the documentation of this file.
1 /*
2  RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3  Copyright (C) 2002 Maxim Krasnyansky <[email protected]>
4  Copyright (C) 2002 Marcel Holtmann <[email protected]>
5 
6  This program is free software; you can redistribute it and/or modify
7  it under the terms of the GNU General Public License version 2 as
8  published by the Free Software Foundation;
9 
10  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11  OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13  IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14  CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15  WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19  ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20  COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21  SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * Bluetooth RFCOMM core.
26  */
27 
28 #include <linux/module.h>
29 #include <linux/debugfs.h>
30 #include <linux/kthread.h>
31 #include <asm/unaligned.h>
32 
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35 #include <net/bluetooth/l2cap.h>
36 #include <net/bluetooth/rfcomm.h>
37 
38 #define VERSION "1.11"
39 
40 static bool disable_cfc;
41 static bool l2cap_ertm;
42 static int channel_mtu = -1;
43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44 
45 static struct task_struct *rfcomm_thread;
46 
47 static DEFINE_MUTEX(rfcomm_mutex);
48 #define rfcomm_lock() mutex_lock(&rfcomm_mutex)
49 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
50 
51 
52 static LIST_HEAD(session_list);
53 
54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64 
65 static void rfcomm_process_connect(struct rfcomm_session *s);
66 
67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68  bdaddr_t *dst,
69  u8 sec_level,
70  int *err);
71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
72 static void rfcomm_session_del(struct rfcomm_session *s);
73 
74 /* ---- RFCOMM frame parsing macros ---- */
75 #define __get_dlci(b) ((b & 0xfc) >> 2)
76 #define __get_channel(b) ((b & 0xf8) >> 3)
77 #define __get_dir(b) ((b & 0x04) >> 2)
78 #define __get_type(b) ((b & 0xef))
79 
80 #define __test_ea(b) ((b & 0x01))
81 #define __test_cr(b) ((b & 0x02))
82 #define __test_pf(b) ((b & 0x10))
83 
84 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
85 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
86 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
87 #define __srv_channel(dlci) (dlci >> 1)
88 #define __dir(dlci) (dlci & 0x01)
89 
90 #define __len8(len) (((len) << 1) | 1)
91 #define __len16(len) ((len) << 1)
92 
93 /* MCC macros */
94 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
95 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
96 #define __get_mcc_len(b) ((b & 0xfe) >> 1)
97 
98 /* RPN macros */
99 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
100 #define __get_rpn_data_bits(line) ((line) & 0x3)
101 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
102 #define __get_rpn_parity(line) (((line) >> 3) & 0x7)
103 
104 static void rfcomm_schedule(void)
105 {
106  if (!rfcomm_thread)
107  return;
108  wake_up_process(rfcomm_thread);
109 }
110 
111 static void rfcomm_session_put(struct rfcomm_session *s)
112 {
113  if (atomic_dec_and_test(&s->refcnt))
114  rfcomm_session_del(s);
115 }
116 
117 /* ---- RFCOMM FCS computation ---- */
118 
119 /* reversed, 8-bit, poly=0x07 */
120 static unsigned char rfcomm_crc_table[256] = {
121  0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
122  0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
123  0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
124  0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
125 
126  0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
127  0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
128  0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
129  0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
130 
131  0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
132  0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
133  0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
134  0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
135 
136  0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
137  0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
138  0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
139  0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
140 
141  0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
142  0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
143  0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
144  0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
145 
146  0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
147  0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
148  0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
149  0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
150 
151  0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
152  0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
153  0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
154  0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
155 
156  0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
157  0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
158  0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
159  0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
160 };
161 
162 /* CRC on 2 bytes */
163 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
164 
165 /* FCS on 2 bytes */
166 static inline u8 __fcs(u8 *data)
167 {
168  return 0xff - __crc(data);
169 }
170 
171 /* FCS on 3 bytes */
172 static inline u8 __fcs2(u8 *data)
173 {
174  return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
175 }
176 
177 /* Check FCS */
178 static inline int __check_fcs(u8 *data, int type, u8 fcs)
179 {
180  u8 f = __crc(data);
181 
182  if (type != RFCOMM_UIH)
183  f = rfcomm_crc_table[f ^ data[2]];
184 
185  return rfcomm_crc_table[f ^ fcs] != 0xcf;
186 }
187 
188 /* ---- L2CAP callbacks ---- */
189 static void rfcomm_l2state_change(struct sock *sk)
190 {
191  BT_DBG("%p state %d", sk, sk->sk_state);
192  rfcomm_schedule();
193 }
194 
195 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
196 {
197  BT_DBG("%p bytes %d", sk, bytes);
198  rfcomm_schedule();
199 }
200 
201 static int rfcomm_l2sock_create(struct socket **sock)
202 {
203  int err;
204 
205  BT_DBG("");
206 
207  err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
208  if (!err) {
209  struct sock *sk = (*sock)->sk;
210  sk->sk_data_ready = rfcomm_l2data_ready;
211  sk->sk_state_change = rfcomm_l2state_change;
212  }
213  return err;
214 }
215 
216 static int rfcomm_check_security(struct rfcomm_dlc *d)
217 {
218  struct sock *sk = d->session->sock->sk;
219  struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
220 
221  __u8 auth_type;
222 
223  switch (d->sec_level) {
224  case BT_SECURITY_HIGH:
225  auth_type = HCI_AT_GENERAL_BONDING_MITM;
226  break;
227  case BT_SECURITY_MEDIUM:
228  auth_type = HCI_AT_GENERAL_BONDING;
229  break;
230  default:
231  auth_type = HCI_AT_NO_BONDING;
232  break;
233  }
234 
235  return hci_conn_security(conn->hcon, d->sec_level, auth_type);
236 }
237 
238 static void rfcomm_session_timeout(unsigned long arg)
239 {
240  struct rfcomm_session *s = (void *) arg;
241 
242  BT_DBG("session %p state %ld", s, s->state);
243 
244  set_bit(RFCOMM_TIMED_OUT, &s->flags);
245  rfcomm_schedule();
246 }
247 
248 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
249 {
250  BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
251 
252  if (!mod_timer(&s->timer, jiffies + timeout))
253  rfcomm_session_hold(s);
254 }
255 
256 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
257 {
258  BT_DBG("session %p state %ld", s, s->state);
259 
260  if (timer_pending(&s->timer) && del_timer(&s->timer))
261  rfcomm_session_put(s);
262 }
263 
264 /* ---- RFCOMM DLCs ---- */
265 static void rfcomm_dlc_timeout(unsigned long arg)
266 {
267  struct rfcomm_dlc *d = (void *) arg;
268 
269  BT_DBG("dlc %p state %ld", d, d->state);
270 
271  set_bit(RFCOMM_TIMED_OUT, &d->flags);
272  rfcomm_dlc_put(d);
273  rfcomm_schedule();
274 }
275 
276 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
277 {
278  BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
279 
280  if (!mod_timer(&d->timer, jiffies + timeout))
281  rfcomm_dlc_hold(d);
282 }
283 
284 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
285 {
286  BT_DBG("dlc %p state %ld", d, d->state);
287 
288  if (timer_pending(&d->timer) && del_timer(&d->timer))
289  rfcomm_dlc_put(d);
290 }
291 
292 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
293 {
294  BT_DBG("%p", d);
295 
296  d->state = BT_OPEN;
297  d->flags = 0;
298  d->mscex = 0;
299  d->sec_level = BT_SECURITY_LOW;
300  d->mtu = RFCOMM_DEFAULT_MTU;
301  d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
302 
303  d->cfc = RFCOMM_CFC_DISABLED;
304  d->rx_credits = RFCOMM_DEFAULT_CREDITS;
305 }
306 
307 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
308 {
309  struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
310 
311  if (!d)
312  return NULL;
313 
314  setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
315 
316  skb_queue_head_init(&d->tx_queue);
317  spin_lock_init(&d->lock);
318  atomic_set(&d->refcnt, 1);
319 
320  rfcomm_dlc_clear_state(d);
321 
322  BT_DBG("%p", d);
323 
324  return d;
325 }
326 
327 void rfcomm_dlc_free(struct rfcomm_dlc *d)
328 {
329  BT_DBG("%p", d);
330 
331  skb_queue_purge(&d->tx_queue);
332  kfree(d);
333 }
334 
335 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
336 {
337  BT_DBG("dlc %p session %p", d, s);
338 
339  rfcomm_session_hold(s);
340 
341  rfcomm_session_clear_timer(s);
342  rfcomm_dlc_hold(d);
343  list_add(&d->list, &s->dlcs);
344  d->session = s;
345 }
346 
347 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
348 {
349  struct rfcomm_session *s = d->session;
350 
351  BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
352 
353  list_del(&d->list);
354  d->session = NULL;
355  rfcomm_dlc_put(d);
356 
357  if (list_empty(&s->dlcs))
358  rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
359 
360  rfcomm_session_put(s);
361 }
362 
363 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
364 {
365  struct rfcomm_dlc *d;
366 
367  list_for_each_entry(d, &s->dlcs, list)
368  if (d->dlci == dlci)
369  return d;
370 
371  return NULL;
372 }
373 
374 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
375 {
376  struct rfcomm_session *s;
377  int err = 0;
378  u8 dlci;
379 
380  BT_DBG("dlc %p state %ld %s %s channel %d",
381  d, d->state, batostr(src), batostr(dst), channel);
382 
383  if (channel < 1 || channel > 30)
384  return -EINVAL;
385 
386  if (d->state != BT_OPEN && d->state != BT_CLOSED)
387  return 0;
388 
389  s = rfcomm_session_get(src, dst);
390  if (!s) {
391  s = rfcomm_session_create(src, dst, d->sec_level, &err);
392  if (!s)
393  return err;
394  }
395 
396  dlci = __dlci(!s->initiator, channel);
397 
398  /* Check if DLCI already exists */
399  if (rfcomm_dlc_get(s, dlci))
400  return -EBUSY;
401 
402  rfcomm_dlc_clear_state(d);
403 
404  d->dlci = dlci;
405  d->addr = __addr(s->initiator, dlci);
406  d->priority = 7;
407 
408  d->state = BT_CONFIG;
409  rfcomm_dlc_link(s, d);
410 
411  d->out = 1;
412 
413  d->mtu = s->mtu;
414  d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
415 
416  if (s->state == BT_CONNECTED) {
417  if (rfcomm_check_security(d))
418  rfcomm_send_pn(s, 1, d);
419  else
420  set_bit(RFCOMM_AUTH_PENDING, &d->flags);
421  }
422 
423  rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
424 
425  return 0;
426 }
427 
428 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
429 {
430  int r;
431 
432  rfcomm_lock();
433 
434  r = __rfcomm_dlc_open(d, src, dst, channel);
435 
436  rfcomm_unlock();
437  return r;
438 }
439 
440 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
441 {
442  struct rfcomm_session *s = d->session;
443  if (!s)
444  return 0;
445 
446  BT_DBG("dlc %p state %ld dlci %d err %d session %p",
447  d, d->state, d->dlci, err, s);
448 
449  switch (d->state) {
450  case BT_CONNECT:
451  case BT_CONFIG:
452  if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
453  set_bit(RFCOMM_AUTH_REJECT, &d->flags);
454  rfcomm_schedule();
455  break;
456  }
457  /* Fall through */
458 
459  case BT_CONNECTED:
460  d->state = BT_DISCONN;
461  if (skb_queue_empty(&d->tx_queue)) {
462  rfcomm_send_disc(s, d->dlci);
463  rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
464  } else {
465  rfcomm_queue_disc(d);
466  rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
467  }
468  break;
469 
470  case BT_OPEN:
471  case BT_CONNECT2:
472  if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
473  set_bit(RFCOMM_AUTH_REJECT, &d->flags);
474  rfcomm_schedule();
475  break;
476  }
477  /* Fall through */
478 
479  default:
480  rfcomm_dlc_clear_timer(d);
481 
482  rfcomm_dlc_lock(d);
483  d->state = BT_CLOSED;
484  d->state_change(d, err);
485  rfcomm_dlc_unlock(d);
486 
487  skb_queue_purge(&d->tx_queue);
488  rfcomm_dlc_unlink(d);
489  }
490 
491  return 0;
492 }
493 
494 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
495 {
496  int r;
497 
498  rfcomm_lock();
499 
500  r = __rfcomm_dlc_close(d, err);
501 
502  rfcomm_unlock();
503  return r;
504 }
505 
506 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
507 {
508  int len = skb->len;
509 
510  if (d->state != BT_CONNECTED)
511  return -ENOTCONN;
512 
513  BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
514 
515  if (len > d->mtu)
516  return -EINVAL;
517 
518  rfcomm_make_uih(skb, d->addr);
519  skb_queue_tail(&d->tx_queue, skb);
520 
521  if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
522  rfcomm_schedule();
523  return len;
524 }
525 
526 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
527 {
528  BT_DBG("dlc %p state %ld", d, d->state);
529 
530  if (!d->cfc) {
531  d->v24_sig |= RFCOMM_V24_FC;
532  set_bit(RFCOMM_MSC_PENDING, &d->flags);
533  }
534  rfcomm_schedule();
535 }
536 
537 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
538 {
539  BT_DBG("dlc %p state %ld", d, d->state);
540 
541  if (!d->cfc) {
542  d->v24_sig &= ~RFCOMM_V24_FC;
543  set_bit(RFCOMM_MSC_PENDING, &d->flags);
544  }
545  rfcomm_schedule();
546 }
547 
548 /*
549  Set/get modem status functions use _local_ status i.e. what we report
550  to the other side.
551  Remote status is provided by dlc->modem_status() callback.
552  */
553 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
554 {
555  BT_DBG("dlc %p state %ld v24_sig 0x%x",
556  d, d->state, v24_sig);
557 
558  if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
559  v24_sig |= RFCOMM_V24_FC;
560  else
561  v24_sig &= ~RFCOMM_V24_FC;
562 
563  d->v24_sig = v24_sig;
564 
565  if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
566  rfcomm_schedule();
567 
568  return 0;
569 }
570 
571 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
572 {
573  BT_DBG("dlc %p state %ld v24_sig 0x%x",
574  d, d->state, d->v24_sig);
575 
576  *v24_sig = d->v24_sig;
577  return 0;
578 }
579 
580 /* ---- RFCOMM sessions ---- */
581 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
582 {
583  struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
584 
585  if (!s)
586  return NULL;
587 
588  BT_DBG("session %p sock %p", s, sock);
589 
590  setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
591 
592  INIT_LIST_HEAD(&s->dlcs);
593  s->state = state;
594  s->sock = sock;
595 
596  s->mtu = RFCOMM_DEFAULT_MTU;
597  s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
598 
599  /* Do not increment module usage count for listening sessions.
600  * Otherwise we won't be able to unload the module. */
601  if (state != BT_LISTEN)
602  if (!try_module_get(THIS_MODULE)) {
603  kfree(s);
604  return NULL;
605  }
606 
607  list_add(&s->list, &session_list);
608 
609  return s;
610 }
611 
612 static void rfcomm_session_del(struct rfcomm_session *s)
613 {
614  int state = s->state;
615 
616  BT_DBG("session %p state %ld", s, s->state);
617 
618  list_del(&s->list);
619 
620  if (state == BT_CONNECTED)
621  rfcomm_send_disc(s, 0);
622 
623  rfcomm_session_clear_timer(s);
624  sock_release(s->sock);
625  kfree(s);
626 
627  if (state != BT_LISTEN)
628  module_put(THIS_MODULE);
629 }
630 
631 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
632 {
633  struct rfcomm_session *s;
634  struct list_head *p, *n;
635  struct bt_sock *sk;
636  list_for_each_safe(p, n, &session_list) {
637  s = list_entry(p, struct rfcomm_session, list);
638  sk = bt_sk(s->sock->sk);
639 
640  if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
641  !bacmp(&sk->dst, dst))
642  return s;
643  }
644  return NULL;
645 }
646 
647 static void rfcomm_session_close(struct rfcomm_session *s, int err)
648 {
649  struct rfcomm_dlc *d;
650  struct list_head *p, *n;
651 
652  BT_DBG("session %p state %ld err %d", s, s->state, err);
653 
654  rfcomm_session_hold(s);
655 
656  s->state = BT_CLOSED;
657 
658  /* Close all dlcs */
659  list_for_each_safe(p, n, &s->dlcs) {
660  d = list_entry(p, struct rfcomm_dlc, list);
661  d->state = BT_CLOSED;
662  __rfcomm_dlc_close(d, err);
663  }
664 
665  rfcomm_session_clear_timer(s);
666  rfcomm_session_put(s);
667 }
668 
669 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
670  bdaddr_t *dst,
671  u8 sec_level,
672  int *err)
673 {
674  struct rfcomm_session *s = NULL;
675  struct sockaddr_l2 addr;
676  struct socket *sock;
677  struct sock *sk;
678 
679  BT_DBG("%s %s", batostr(src), batostr(dst));
680 
681  *err = rfcomm_l2sock_create(&sock);
682  if (*err < 0)
683  return NULL;
684 
685  bacpy(&addr.l2_bdaddr, src);
686  addr.l2_family = AF_BLUETOOTH;
687  addr.l2_psm = 0;
688  addr.l2_cid = 0;
689  *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
690  if (*err < 0)
691  goto failed;
692 
693  /* Set L2CAP options */
694  sk = sock->sk;
695  lock_sock(sk);
696  l2cap_pi(sk)->chan->imtu = l2cap_mtu;
697  l2cap_pi(sk)->chan->sec_level = sec_level;
698  if (l2cap_ertm)
699  l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
700  release_sock(sk);
701 
702  s = rfcomm_session_add(sock, BT_BOUND);
703  if (!s) {
704  *err = -ENOMEM;
705  goto failed;
706  }
707 
708  s->initiator = 1;
709 
710  bacpy(&addr.l2_bdaddr, dst);
711  addr.l2_family = AF_BLUETOOTH;
712  addr.l2_psm = cpu_to_le16(RFCOMM_PSM);
713  addr.l2_cid = 0;
714  *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
715  if (*err == 0 || *err == -EINPROGRESS)
716  return s;
717 
718  rfcomm_session_del(s);
719  return NULL;
720 
721 failed:
722  sock_release(sock);
723  return NULL;
724 }
725 
726 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
727 {
728  struct sock *sk = s->sock->sk;
729  if (src)
730  bacpy(src, &bt_sk(sk)->src);
731  if (dst)
732  bacpy(dst, &bt_sk(sk)->dst);
733 }
734 
735 /* ---- RFCOMM frame sending ---- */
736 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
737 {
738  struct kvec iv = { data, len };
739  struct msghdr msg;
740 
741  BT_DBG("session %p len %d", s, len);
742 
743  memset(&msg, 0, sizeof(msg));
744 
745  return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
746 }
747 
748 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
749 {
750  BT_DBG("%p cmd %u", s, cmd->ctrl);
751 
752  return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
753 }
754 
755 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
756 {
757  struct rfcomm_cmd cmd;
758 
759  BT_DBG("%p dlci %d", s, dlci);
760 
761  cmd.addr = __addr(s->initiator, dlci);
762  cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
763  cmd.len = __len8(0);
764  cmd.fcs = __fcs2((u8 *) &cmd);
765 
766  return rfcomm_send_cmd(s, &cmd);
767 }
768 
769 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
770 {
771  struct rfcomm_cmd cmd;
772 
773  BT_DBG("%p dlci %d", s, dlci);
774 
775  cmd.addr = __addr(!s->initiator, dlci);
776  cmd.ctrl = __ctrl(RFCOMM_UA, 1);
777  cmd.len = __len8(0);
778  cmd.fcs = __fcs2((u8 *) &cmd);
779 
780  return rfcomm_send_cmd(s, &cmd);
781 }
782 
783 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
784 {
785  struct rfcomm_cmd cmd;
786 
787  BT_DBG("%p dlci %d", s, dlci);
788 
789  cmd.addr = __addr(s->initiator, dlci);
790  cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
791  cmd.len = __len8(0);
792  cmd.fcs = __fcs2((u8 *) &cmd);
793 
794  return rfcomm_send_cmd(s, &cmd);
795 }
796 
797 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
798 {
799  struct rfcomm_cmd *cmd;
800  struct sk_buff *skb;
801 
802  BT_DBG("dlc %p dlci %d", d, d->dlci);
803 
804  skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
805  if (!skb)
806  return -ENOMEM;
807 
808  cmd = (void *) __skb_put(skb, sizeof(*cmd));
809  cmd->addr = d->addr;
810  cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
811  cmd->len = __len8(0);
812  cmd->fcs = __fcs2((u8 *) cmd);
813 
814  skb_queue_tail(&d->tx_queue, skb);
815  rfcomm_schedule();
816  return 0;
817 }
818 
819 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
820 {
821  struct rfcomm_cmd cmd;
822 
823  BT_DBG("%p dlci %d", s, dlci);
824 
825  cmd.addr = __addr(!s->initiator, dlci);
826  cmd.ctrl = __ctrl(RFCOMM_DM, 1);
827  cmd.len = __len8(0);
828  cmd.fcs = __fcs2((u8 *) &cmd);
829 
830  return rfcomm_send_cmd(s, &cmd);
831 }
832 
833 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
834 {
835  struct rfcomm_hdr *hdr;
836  struct rfcomm_mcc *mcc;
837  u8 buf[16], *ptr = buf;
838 
839  BT_DBG("%p cr %d type %d", s, cr, type);
840 
841  hdr = (void *) ptr; ptr += sizeof(*hdr);
842  hdr->addr = __addr(s->initiator, 0);
843  hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
844  hdr->len = __len8(sizeof(*mcc) + 1);
845 
846  mcc = (void *) ptr; ptr += sizeof(*mcc);
847  mcc->type = __mcc_type(cr, RFCOMM_NSC);
848  mcc->len = __len8(1);
849 
850  /* Type that we didn't like */
851  *ptr = __mcc_type(cr, type); ptr++;
852 
853  *ptr = __fcs(buf); ptr++;
854 
855  return rfcomm_send_frame(s, buf, ptr - buf);
856 }
857 
858 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
859 {
860  struct rfcomm_hdr *hdr;
861  struct rfcomm_mcc *mcc;
862  struct rfcomm_pn *pn;
863  u8 buf[16], *ptr = buf;
864 
865  BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
866 
867  hdr = (void *) ptr; ptr += sizeof(*hdr);
868  hdr->addr = __addr(s->initiator, 0);
869  hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
870  hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
871 
872  mcc = (void *) ptr; ptr += sizeof(*mcc);
873  mcc->type = __mcc_type(cr, RFCOMM_PN);
874  mcc->len = __len8(sizeof(*pn));
875 
876  pn = (void *) ptr; ptr += sizeof(*pn);
877  pn->dlci = d->dlci;
878  pn->priority = d->priority;
879  pn->ack_timer = 0;
880  pn->max_retrans = 0;
881 
882  if (s->cfc) {
883  pn->flow_ctrl = cr ? 0xf0 : 0xe0;
884  pn->credits = RFCOMM_DEFAULT_CREDITS;
885  } else {
886  pn->flow_ctrl = 0;
887  pn->credits = 0;
888  }
889 
890  if (cr && channel_mtu >= 0)
891  pn->mtu = cpu_to_le16(channel_mtu);
892  else
893  pn->mtu = cpu_to_le16(d->mtu);
894 
895  *ptr = __fcs(buf); ptr++;
896 
897  return rfcomm_send_frame(s, buf, ptr - buf);
898 }
899 
900 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
901  u8 bit_rate, u8 data_bits, u8 stop_bits,
902  u8 parity, u8 flow_ctrl_settings,
903  u8 xon_char, u8 xoff_char, u16 param_mask)
904 {
905  struct rfcomm_hdr *hdr;
906  struct rfcomm_mcc *mcc;
907  struct rfcomm_rpn *rpn;
908  u8 buf[16], *ptr = buf;
909 
910  BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
911  " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
912  s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
913  flow_ctrl_settings, xon_char, xoff_char, param_mask);
914 
915  hdr = (void *) ptr; ptr += sizeof(*hdr);
916  hdr->addr = __addr(s->initiator, 0);
917  hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
918  hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
919 
920  mcc = (void *) ptr; ptr += sizeof(*mcc);
921  mcc->type = __mcc_type(cr, RFCOMM_RPN);
922  mcc->len = __len8(sizeof(*rpn));
923 
924  rpn = (void *) ptr; ptr += sizeof(*rpn);
925  rpn->dlci = __addr(1, dlci);
926  rpn->bit_rate = bit_rate;
927  rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
928  rpn->flow_ctrl = flow_ctrl_settings;
929  rpn->xon_char = xon_char;
930  rpn->xoff_char = xoff_char;
931  rpn->param_mask = cpu_to_le16(param_mask);
932 
933  *ptr = __fcs(buf); ptr++;
934 
935  return rfcomm_send_frame(s, buf, ptr - buf);
936 }
937 
938 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
939 {
940  struct rfcomm_hdr *hdr;
941  struct rfcomm_mcc *mcc;
942  struct rfcomm_rls *rls;
943  u8 buf[16], *ptr = buf;
944 
945  BT_DBG("%p cr %d status 0x%x", s, cr, status);
946 
947  hdr = (void *) ptr; ptr += sizeof(*hdr);
948  hdr->addr = __addr(s->initiator, 0);
949  hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
950  hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
951 
952  mcc = (void *) ptr; ptr += sizeof(*mcc);
953  mcc->type = __mcc_type(cr, RFCOMM_RLS);
954  mcc->len = __len8(sizeof(*rls));
955 
956  rls = (void *) ptr; ptr += sizeof(*rls);
957  rls->dlci = __addr(1, dlci);
958  rls->status = status;
959 
960  *ptr = __fcs(buf); ptr++;
961 
962  return rfcomm_send_frame(s, buf, ptr - buf);
963 }
964 
965 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
966 {
967  struct rfcomm_hdr *hdr;
968  struct rfcomm_mcc *mcc;
969  struct rfcomm_msc *msc;
970  u8 buf[16], *ptr = buf;
971 
972  BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
973 
974  hdr = (void *) ptr; ptr += sizeof(*hdr);
975  hdr->addr = __addr(s->initiator, 0);
976  hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
977  hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
978 
979  mcc = (void *) ptr; ptr += sizeof(*mcc);
980  mcc->type = __mcc_type(cr, RFCOMM_MSC);
981  mcc->len = __len8(sizeof(*msc));
982 
983  msc = (void *) ptr; ptr += sizeof(*msc);
984  msc->dlci = __addr(1, dlci);
985  msc->v24_sig = v24_sig | 0x01;
986 
987  *ptr = __fcs(buf); ptr++;
988 
989  return rfcomm_send_frame(s, buf, ptr - buf);
990 }
991 
992 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
993 {
994  struct rfcomm_hdr *hdr;
995  struct rfcomm_mcc *mcc;
996  u8 buf[16], *ptr = buf;
997 
998  BT_DBG("%p cr %d", s, cr);
999 
1000  hdr = (void *) ptr; ptr += sizeof(*hdr);
1001  hdr->addr = __addr(s->initiator, 0);
1002  hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1003  hdr->len = __len8(sizeof(*mcc));
1004 
1005  mcc = (void *) ptr; ptr += sizeof(*mcc);
1006  mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1007  mcc->len = __len8(0);
1008 
1009  *ptr = __fcs(buf); ptr++;
1010 
1011  return rfcomm_send_frame(s, buf, ptr - buf);
1012 }
1013 
1014 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1015 {
1016  struct rfcomm_hdr *hdr;
1017  struct rfcomm_mcc *mcc;
1018  u8 buf[16], *ptr = buf;
1019 
1020  BT_DBG("%p cr %d", s, cr);
1021 
1022  hdr = (void *) ptr; ptr += sizeof(*hdr);
1023  hdr->addr = __addr(s->initiator, 0);
1024  hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1025  hdr->len = __len8(sizeof(*mcc));
1026 
1027  mcc = (void *) ptr; ptr += sizeof(*mcc);
1028  mcc->type = __mcc_type(cr, RFCOMM_FCON);
1029  mcc->len = __len8(0);
1030 
1031  *ptr = __fcs(buf); ptr++;
1032 
1033  return rfcomm_send_frame(s, buf, ptr - buf);
1034 }
1035 
1036 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1037 {
1038  struct socket *sock = s->sock;
1039  struct kvec iv[3];
1040  struct msghdr msg;
1041  unsigned char hdr[5], crc[1];
1042 
1043  if (len > 125)
1044  return -EINVAL;
1045 
1046  BT_DBG("%p cr %d", s, cr);
1047 
1048  hdr[0] = __addr(s->initiator, 0);
1049  hdr[1] = __ctrl(RFCOMM_UIH, 0);
1050  hdr[2] = 0x01 | ((len + 2) << 1);
1051  hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1052  hdr[4] = 0x01 | (len << 1);
1053 
1054  crc[0] = __fcs(hdr);
1055 
1056  iv[0].iov_base = hdr;
1057  iv[0].iov_len = 5;
1058  iv[1].iov_base = pattern;
1059  iv[1].iov_len = len;
1060  iv[2].iov_base = crc;
1061  iv[2].iov_len = 1;
1062 
1063  memset(&msg, 0, sizeof(msg));
1064 
1065  return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1066 }
1067 
1068 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1069 {
1070  struct rfcomm_hdr *hdr;
1071  u8 buf[16], *ptr = buf;
1072 
1073  BT_DBG("%p addr %d credits %d", s, addr, credits);
1074 
1075  hdr = (void *) ptr; ptr += sizeof(*hdr);
1076  hdr->addr = addr;
1077  hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1078  hdr->len = __len8(0);
1079 
1080  *ptr = credits; ptr++;
1081 
1082  *ptr = __fcs(buf); ptr++;
1083 
1084  return rfcomm_send_frame(s, buf, ptr - buf);
1085 }
1086 
1087 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1088 {
1089  struct rfcomm_hdr *hdr;
1090  int len = skb->len;
1091  u8 *crc;
1092 
1093  if (len > 127) {
1094  hdr = (void *) skb_push(skb, 4);
1095  put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1096  } else {
1097  hdr = (void *) skb_push(skb, 3);
1098  hdr->len = __len8(len);
1099  }
1100  hdr->addr = addr;
1101  hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1102 
1103  crc = skb_put(skb, 1);
1104  *crc = __fcs((void *) hdr);
1105 }
1106 
1107 /* ---- RFCOMM frame reception ---- */
1108 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1109 {
1110  BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1111 
1112  if (dlci) {
1113  /* Data channel */
1114  struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1115  if (!d) {
1116  rfcomm_send_dm(s, dlci);
1117  return 0;
1118  }
1119 
1120  switch (d->state) {
1121  case BT_CONNECT:
1122  rfcomm_dlc_clear_timer(d);
1123 
1124  rfcomm_dlc_lock(d);
1125  d->state = BT_CONNECTED;
1126  d->state_change(d, 0);
1127  rfcomm_dlc_unlock(d);
1128 
1129  rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1130  break;
1131 
1132  case BT_DISCONN:
1133  d->state = BT_CLOSED;
1134  __rfcomm_dlc_close(d, 0);
1135 
1136  if (list_empty(&s->dlcs)) {
1137  s->state = BT_DISCONN;
1138  rfcomm_send_disc(s, 0);
1139  rfcomm_session_clear_timer(s);
1140  }
1141 
1142  break;
1143  }
1144  } else {
1145  /* Control channel */
1146  switch (s->state) {
1147  case BT_CONNECT:
1148  s->state = BT_CONNECTED;
1149  rfcomm_process_connect(s);
1150  break;
1151 
1152  case BT_DISCONN:
1153  /* rfcomm_session_put is called later so don't do
1154  * anything here otherwise we will mess up the session
1155  * reference counter:
1156  *
1157  * (a) when we are the initiator dlc_unlink will drive
1158  * the reference counter to 0 (there is no initial put
1159  * after session_add)
1160  *
1161  * (b) when we are not the initiator rfcomm_rx_process
1162  * will explicitly call put to balance the initial hold
1163  * done after session add.
1164  */
1165  break;
1166  }
1167  }
1168  return 0;
1169 }
1170 
1171 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1172 {
1173  int err = 0;
1174 
1175  BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1176 
1177  if (dlci) {
1178  /* Data DLC */
1179  struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1180  if (d) {
1181  if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1182  err = ECONNREFUSED;
1183  else
1184  err = ECONNRESET;
1185 
1186  d->state = BT_CLOSED;
1187  __rfcomm_dlc_close(d, err);
1188  }
1189  } else {
1190  if (s->state == BT_CONNECT)
1191  err = ECONNREFUSED;
1192  else
1193  err = ECONNRESET;
1194 
1195  s->state = BT_CLOSED;
1196  rfcomm_session_close(s, err);
1197  }
1198  return 0;
1199 }
1200 
1201 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1202 {
1203  int err = 0;
1204 
1205  BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1206 
1207  if (dlci) {
1208  struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1209  if (d) {
1210  rfcomm_send_ua(s, dlci);
1211 
1212  if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1213  err = ECONNREFUSED;
1214  else
1215  err = ECONNRESET;
1216 
1217  d->state = BT_CLOSED;
1218  __rfcomm_dlc_close(d, err);
1219  } else
1220  rfcomm_send_dm(s, dlci);
1221 
1222  } else {
1223  rfcomm_send_ua(s, 0);
1224 
1225  if (s->state == BT_CONNECT)
1226  err = ECONNREFUSED;
1227  else
1228  err = ECONNRESET;
1229 
1230  s->state = BT_CLOSED;
1231  rfcomm_session_close(s, err);
1232  }
1233 
1234  return 0;
1235 }
1236 
1237 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1238 {
1239  struct sock *sk = d->session->sock->sk;
1240  struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1241 
1242  BT_DBG("dlc %p", d);
1243 
1244  rfcomm_send_ua(d->session, d->dlci);
1245 
1246  rfcomm_dlc_clear_timer(d);
1247 
1248  rfcomm_dlc_lock(d);
1249  d->state = BT_CONNECTED;
1250  d->state_change(d, 0);
1251  rfcomm_dlc_unlock(d);
1252 
1253  if (d->role_switch)
1254  hci_conn_switch_role(conn->hcon, 0x00);
1255 
1256  rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1257 }
1258 
1259 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1260 {
1261  if (rfcomm_check_security(d)) {
1262  if (d->defer_setup) {
1263  set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1264  rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1265 
1266  rfcomm_dlc_lock(d);
1267  d->state = BT_CONNECT2;
1268  d->state_change(d, 0);
1269  rfcomm_dlc_unlock(d);
1270  } else
1271  rfcomm_dlc_accept(d);
1272  } else {
1273  set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1274  rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1275  }
1276 }
1277 
1278 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1279 {
1280  struct rfcomm_dlc *d;
1281  u8 channel;
1282 
1283  BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1284 
1285  if (!dlci) {
1286  rfcomm_send_ua(s, 0);
1287 
1288  if (s->state == BT_OPEN) {
1289  s->state = BT_CONNECTED;
1290  rfcomm_process_connect(s);
1291  }
1292  return 0;
1293  }
1294 
1295  /* Check if DLC exists */
1296  d = rfcomm_dlc_get(s, dlci);
1297  if (d) {
1298  if (d->state == BT_OPEN) {
1299  /* DLC was previously opened by PN request */
1300  rfcomm_check_accept(d);
1301  }
1302  return 0;
1303  }
1304 
1305  /* Notify socket layer about incoming connection */
1306  channel = __srv_channel(dlci);
1307  if (rfcomm_connect_ind(s, channel, &d)) {
1308  d->dlci = dlci;
1309  d->addr = __addr(s->initiator, dlci);
1310  rfcomm_dlc_link(s, d);
1311 
1312  rfcomm_check_accept(d);
1313  } else {
1314  rfcomm_send_dm(s, dlci);
1315  }
1316 
1317  return 0;
1318 }
1319 
1320 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1321 {
1322  struct rfcomm_session *s = d->session;
1323 
1324  BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1325  d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1326 
1327  if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1328  pn->flow_ctrl == 0xe0) {
1329  d->cfc = RFCOMM_CFC_ENABLED;
1330  d->tx_credits = pn->credits;
1331  } else {
1332  d->cfc = RFCOMM_CFC_DISABLED;
1333  set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1334  }
1335 
1336  if (s->cfc == RFCOMM_CFC_UNKNOWN)
1337  s->cfc = d->cfc;
1338 
1339  d->priority = pn->priority;
1340 
1341  d->mtu = __le16_to_cpu(pn->mtu);
1342 
1343  if (cr && d->mtu > s->mtu)
1344  d->mtu = s->mtu;
1345 
1346  return 0;
1347 }
1348 
1349 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1350 {
1351  struct rfcomm_pn *pn = (void *) skb->data;
1352  struct rfcomm_dlc *d;
1353  u8 dlci = pn->dlci;
1354 
1355  BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1356 
1357  if (!dlci)
1358  return 0;
1359 
1360  d = rfcomm_dlc_get(s, dlci);
1361  if (d) {
1362  if (cr) {
1363  /* PN request */
1364  rfcomm_apply_pn(d, cr, pn);
1365  rfcomm_send_pn(s, 0, d);
1366  } else {
1367  /* PN response */
1368  switch (d->state) {
1369  case BT_CONFIG:
1370  rfcomm_apply_pn(d, cr, pn);
1371 
1372  d->state = BT_CONNECT;
1373  rfcomm_send_sabm(s, d->dlci);
1374  break;
1375  }
1376  }
1377  } else {
1378  u8 channel = __srv_channel(dlci);
1379 
1380  if (!cr)
1381  return 0;
1382 
1383  /* PN request for non existing DLC.
1384  * Assume incoming connection. */
1385  if (rfcomm_connect_ind(s, channel, &d)) {
1386  d->dlci = dlci;
1387  d->addr = __addr(s->initiator, dlci);
1388  rfcomm_dlc_link(s, d);
1389 
1390  rfcomm_apply_pn(d, cr, pn);
1391 
1392  d->state = BT_OPEN;
1393  rfcomm_send_pn(s, 0, d);
1394  } else {
1395  rfcomm_send_dm(s, dlci);
1396  }
1397  }
1398  return 0;
1399 }
1400 
1401 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1402 {
1403  struct rfcomm_rpn *rpn = (void *) skb->data;
1404  u8 dlci = __get_dlci(rpn->dlci);
1405 
1406  u8 bit_rate = 0;
1407  u8 data_bits = 0;
1408  u8 stop_bits = 0;
1409  u8 parity = 0;
1410  u8 flow_ctrl = 0;
1411  u8 xon_char = 0;
1412  u8 xoff_char = 0;
1413  u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1414 
1415  BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1416  dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1417  rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1418 
1419  if (!cr)
1420  return 0;
1421 
1422  if (len == 1) {
1423  /* This is a request, return default (according to ETSI TS 07.10) settings */
1424  bit_rate = RFCOMM_RPN_BR_9600;
1425  data_bits = RFCOMM_RPN_DATA_8;
1426  stop_bits = RFCOMM_RPN_STOP_1;
1427  parity = RFCOMM_RPN_PARITY_NONE;
1428  flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1429  xon_char = RFCOMM_RPN_XON_CHAR;
1430  xoff_char = RFCOMM_RPN_XOFF_CHAR;
1431  goto rpn_out;
1432  }
1433 
1434  /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1435  * no parity, no flow control lines, normal XON/XOFF chars */
1436 
1437  if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1438  bit_rate = rpn->bit_rate;
1439  if (bit_rate > RFCOMM_RPN_BR_230400) {
1440  BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1441  bit_rate = RFCOMM_RPN_BR_9600;
1442  rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1443  }
1444  }
1445 
1446  if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1447  data_bits = __get_rpn_data_bits(rpn->line_settings);
1448  if (data_bits != RFCOMM_RPN_DATA_8) {
1449  BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1450  data_bits = RFCOMM_RPN_DATA_8;
1451  rpn_mask ^= RFCOMM_RPN_PM_DATA;
1452  }
1453  }
1454 
1455  if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1456  stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1457  if (stop_bits != RFCOMM_RPN_STOP_1) {
1458  BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1459  stop_bits = RFCOMM_RPN_STOP_1;
1460  rpn_mask ^= RFCOMM_RPN_PM_STOP;
1461  }
1462  }
1463 
1464  if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1465  parity = __get_rpn_parity(rpn->line_settings);
1466  if (parity != RFCOMM_RPN_PARITY_NONE) {
1467  BT_DBG("RPN parity mismatch 0x%x", parity);
1468  parity = RFCOMM_RPN_PARITY_NONE;
1469  rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1470  }
1471  }
1472 
1473  if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1474  flow_ctrl = rpn->flow_ctrl;
1475  if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1476  BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1477  flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1478  rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1479  }
1480  }
1481 
1482  if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1483  xon_char = rpn->xon_char;
1484  if (xon_char != RFCOMM_RPN_XON_CHAR) {
1485  BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1486  xon_char = RFCOMM_RPN_XON_CHAR;
1487  rpn_mask ^= RFCOMM_RPN_PM_XON;
1488  }
1489  }
1490 
1491  if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1492  xoff_char = rpn->xoff_char;
1493  if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1494  BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1495  xoff_char = RFCOMM_RPN_XOFF_CHAR;
1496  rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1497  }
1498  }
1499 
1500 rpn_out:
1501  rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1502  parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1503 
1504  return 0;
1505 }
1506 
1507 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1508 {
1509  struct rfcomm_rls *rls = (void *) skb->data;
1510  u8 dlci = __get_dlci(rls->dlci);
1511 
1512  BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1513 
1514  if (!cr)
1515  return 0;
1516 
1517  /* We should probably do something with this information here. But
1518  * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1519  * mandatory to recognise and respond to RLS */
1520 
1521  rfcomm_send_rls(s, 0, dlci, rls->status);
1522 
1523  return 0;
1524 }
1525 
1526 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1527 {
1528  struct rfcomm_msc *msc = (void *) skb->data;
1529  struct rfcomm_dlc *d;
1530  u8 dlci = __get_dlci(msc->dlci);
1531 
1532  BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1533 
1534  d = rfcomm_dlc_get(s, dlci);
1535  if (!d)
1536  return 0;
1537 
1538  if (cr) {
1539  if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1540  set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1541  else
1542  clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1543 
1544  rfcomm_dlc_lock(d);
1545 
1546  d->remote_v24_sig = msc->v24_sig;
1547 
1548  if (d->modem_status)
1549  d->modem_status(d, msc->v24_sig);
1550 
1551  rfcomm_dlc_unlock(d);
1552 
1553  rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1554 
1555  d->mscex |= RFCOMM_MSCEX_RX;
1556  } else
1557  d->mscex |= RFCOMM_MSCEX_TX;
1558 
1559  return 0;
1560 }
1561 
1562 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1563 {
1564  struct rfcomm_mcc *mcc = (void *) skb->data;
1565  u8 type, cr, len;
1566 
1567  cr = __test_cr(mcc->type);
1568  type = __get_mcc_type(mcc->type);
1569  len = __get_mcc_len(mcc->len);
1570 
1571  BT_DBG("%p type 0x%x cr %d", s, type, cr);
1572 
1573  skb_pull(skb, 2);
1574 
1575  switch (type) {
1576  case RFCOMM_PN:
1577  rfcomm_recv_pn(s, cr, skb);
1578  break;
1579 
1580  case RFCOMM_RPN:
1581  rfcomm_recv_rpn(s, cr, len, skb);
1582  break;
1583 
1584  case RFCOMM_RLS:
1585  rfcomm_recv_rls(s, cr, skb);
1586  break;
1587 
1588  case RFCOMM_MSC:
1589  rfcomm_recv_msc(s, cr, skb);
1590  break;
1591 
1592  case RFCOMM_FCOFF:
1593  if (cr) {
1594  set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1595  rfcomm_send_fcoff(s, 0);
1596  }
1597  break;
1598 
1599  case RFCOMM_FCON:
1600  if (cr) {
1601  clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1602  rfcomm_send_fcon(s, 0);
1603  }
1604  break;
1605 
1606  case RFCOMM_TEST:
1607  if (cr)
1608  rfcomm_send_test(s, 0, skb->data, skb->len);
1609  break;
1610 
1611  case RFCOMM_NSC:
1612  break;
1613 
1614  default:
1615  BT_ERR("Unknown control type 0x%02x", type);
1616  rfcomm_send_nsc(s, cr, type);
1617  break;
1618  }
1619  return 0;
1620 }
1621 
1622 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1623 {
1624  struct rfcomm_dlc *d;
1625 
1626  BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1627 
1628  d = rfcomm_dlc_get(s, dlci);
1629  if (!d) {
1630  rfcomm_send_dm(s, dlci);
1631  goto drop;
1632  }
1633 
1634  if (pf && d->cfc) {
1635  u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1636 
1637  d->tx_credits += credits;
1638  if (d->tx_credits)
1639  clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1640  }
1641 
1642  if (skb->len && d->state == BT_CONNECTED) {
1643  rfcomm_dlc_lock(d);
1644  d->rx_credits--;
1645  d->data_ready(d, skb);
1646  rfcomm_dlc_unlock(d);
1647  return 0;
1648  }
1649 
1650 drop:
1651  kfree_skb(skb);
1652  return 0;
1653 }
1654 
1655 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1656 {
1657  struct rfcomm_hdr *hdr = (void *) skb->data;
1658  u8 type, dlci, fcs;
1659 
1660  dlci = __get_dlci(hdr->addr);
1661  type = __get_type(hdr->ctrl);
1662 
1663  /* Trim FCS */
1664  skb->len--; skb->tail--;
1665  fcs = *(u8 *)skb_tail_pointer(skb);
1666 
1667  if (__check_fcs(skb->data, type, fcs)) {
1668  BT_ERR("bad checksum in packet");
1669  kfree_skb(skb);
1670  return -EILSEQ;
1671  }
1672 
1673  if (__test_ea(hdr->len))
1674  skb_pull(skb, 3);
1675  else
1676  skb_pull(skb, 4);
1677 
1678  switch (type) {
1679  case RFCOMM_SABM:
1680  if (__test_pf(hdr->ctrl))
1681  rfcomm_recv_sabm(s, dlci);
1682  break;
1683 
1684  case RFCOMM_DISC:
1685  if (__test_pf(hdr->ctrl))
1686  rfcomm_recv_disc(s, dlci);
1687  break;
1688 
1689  case RFCOMM_UA:
1690  if (__test_pf(hdr->ctrl))
1691  rfcomm_recv_ua(s, dlci);
1692  break;
1693 
1694  case RFCOMM_DM:
1695  rfcomm_recv_dm(s, dlci);
1696  break;
1697 
1698  case RFCOMM_UIH:
1699  if (dlci)
1700  return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1701 
1702  rfcomm_recv_mcc(s, skb);
1703  break;
1704 
1705  default:
1706  BT_ERR("Unknown packet type 0x%02x", type);
1707  break;
1708  }
1709  kfree_skb(skb);
1710  return 0;
1711 }
1712 
1713 /* ---- Connection and data processing ---- */
1714 
1715 static void rfcomm_process_connect(struct rfcomm_session *s)
1716 {
1717  struct rfcomm_dlc *d;
1718  struct list_head *p, *n;
1719 
1720  BT_DBG("session %p state %ld", s, s->state);
1721 
1722  list_for_each_safe(p, n, &s->dlcs) {
1723  d = list_entry(p, struct rfcomm_dlc, list);
1724  if (d->state == BT_CONFIG) {
1725  d->mtu = s->mtu;
1726  if (rfcomm_check_security(d)) {
1727  rfcomm_send_pn(s, 1, d);
1728  } else {
1729  set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1730  rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1731  }
1732  }
1733  }
1734 }
1735 
1736 /* Send data queued for the DLC.
1737  * Return number of frames left in the queue.
1738  */
1739 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1740 {
1741  struct sk_buff *skb;
1742  int err;
1743 
1744  BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1745  d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1746 
1747  /* Send pending MSC */
1748  if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1749  rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1750 
1751  if (d->cfc) {
1752  /* CFC enabled.
1753  * Give them some credits */
1754  if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1755  d->rx_credits <= (d->cfc >> 2)) {
1756  rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1757  d->rx_credits = d->cfc;
1758  }
1759  } else {
1760  /* CFC disabled.
1761  * Give ourselves some credits */
1762  d->tx_credits = 5;
1763  }
1764 
1765  if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1766  return skb_queue_len(&d->tx_queue);
1767 
1768  while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1769  err = rfcomm_send_frame(d->session, skb->data, skb->len);
1770  if (err < 0) {
1771  skb_queue_head(&d->tx_queue, skb);
1772  break;
1773  }
1774  kfree_skb(skb);
1775  d->tx_credits--;
1776  }
1777 
1778  if (d->cfc && !d->tx_credits) {
1779  /* We're out of TX credits.
1780  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1781  set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1782  }
1783 
1784  return skb_queue_len(&d->tx_queue);
1785 }
1786 
1787 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1788 {
1789  struct rfcomm_dlc *d;
1790  struct list_head *p, *n;
1791 
1792  BT_DBG("session %p state %ld", s, s->state);
1793 
1794  list_for_each_safe(p, n, &s->dlcs) {
1795  d = list_entry(p, struct rfcomm_dlc, list);
1796 
1797  if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1798  __rfcomm_dlc_close(d, ETIMEDOUT);
1799  continue;
1800  }
1801 
1802  if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1803  __rfcomm_dlc_close(d, ECONNREFUSED);
1804  continue;
1805  }
1806 
1807  if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1808  rfcomm_dlc_clear_timer(d);
1809  if (d->out) {
1810  rfcomm_send_pn(s, 1, d);
1811  rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1812  } else {
1813  if (d->defer_setup) {
1814  set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1815  rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1816 
1817  rfcomm_dlc_lock(d);
1818  d->state = BT_CONNECT2;
1819  d->state_change(d, 0);
1820  rfcomm_dlc_unlock(d);
1821  } else
1822  rfcomm_dlc_accept(d);
1823  }
1824  continue;
1825  } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1826  rfcomm_dlc_clear_timer(d);
1827  if (!d->out)
1828  rfcomm_send_dm(s, d->dlci);
1829  else
1830  d->state = BT_CLOSED;
1831  __rfcomm_dlc_close(d, ECONNREFUSED);
1832  continue;
1833  }
1834 
1835  if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1836  continue;
1837 
1838  if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1839  continue;
1840 
1841  if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1842  d->mscex == RFCOMM_MSCEX_OK)
1843  rfcomm_process_tx(d);
1844  }
1845 }
1846 
1847 static void rfcomm_process_rx(struct rfcomm_session *s)
1848 {
1849  struct socket *sock = s->sock;
1850  struct sock *sk = sock->sk;
1851  struct sk_buff *skb;
1852 
1853  BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1854 
1855  /* Get data directly from socket receive queue without copying it. */
1856  while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1857  skb_orphan(skb);
1858  if (!skb_linearize(skb))
1859  rfcomm_recv_frame(s, skb);
1860  else
1861  kfree_skb(skb);
1862  }
1863 
1864  if (sk->sk_state == BT_CLOSED) {
1865  if (!s->initiator)
1866  rfcomm_session_put(s);
1867 
1868  rfcomm_session_close(s, sk->sk_err);
1869  }
1870 }
1871 
1872 static void rfcomm_accept_connection(struct rfcomm_session *s)
1873 {
1874  struct socket *sock = s->sock, *nsock;
1875  int err;
1876 
1877  /* Fast check for a new connection.
1878  * Avoids unnesesary socket allocations. */
1879  if (list_empty(&bt_sk(sock->sk)->accept_q))
1880  return;
1881 
1882  BT_DBG("session %p", s);
1883 
1884  err = kernel_accept(sock, &nsock, O_NONBLOCK);
1885  if (err < 0)
1886  return;
1887 
1888  /* Set our callbacks */
1889  nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1890  nsock->sk->sk_state_change = rfcomm_l2state_change;
1891 
1892  s = rfcomm_session_add(nsock, BT_OPEN);
1893  if (s) {
1894  rfcomm_session_hold(s);
1895 
1896  /* We should adjust MTU on incoming sessions.
1897  * L2CAP MTU minus UIH header and FCS. */
1898  s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1899  l2cap_pi(nsock->sk)->chan->imtu) - 5;
1900 
1901  rfcomm_schedule();
1902  } else
1903  sock_release(nsock);
1904 }
1905 
1906 static void rfcomm_check_connection(struct rfcomm_session *s)
1907 {
1908  struct sock *sk = s->sock->sk;
1909 
1910  BT_DBG("%p state %ld", s, s->state);
1911 
1912  switch (sk->sk_state) {
1913  case BT_CONNECTED:
1914  s->state = BT_CONNECT;
1915 
1916  /* We can adjust MTU on outgoing sessions.
1917  * L2CAP MTU minus UIH header and FCS. */
1918  s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1919 
1920  rfcomm_send_sabm(s, 0);
1921  break;
1922 
1923  case BT_CLOSED:
1924  s->state = BT_CLOSED;
1925  rfcomm_session_close(s, sk->sk_err);
1926  break;
1927  }
1928 }
1929 
1930 static void rfcomm_process_sessions(void)
1931 {
1932  struct list_head *p, *n;
1933 
1934  rfcomm_lock();
1935 
1936  list_for_each_safe(p, n, &session_list) {
1937  struct rfcomm_session *s;
1938  s = list_entry(p, struct rfcomm_session, list);
1939 
1940  if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1941  s->state = BT_DISCONN;
1942  rfcomm_send_disc(s, 0);
1943  rfcomm_session_put(s);
1944  continue;
1945  }
1946 
1947  if (s->state == BT_LISTEN) {
1948  rfcomm_accept_connection(s);
1949  continue;
1950  }
1951 
1952  rfcomm_session_hold(s);
1953 
1954  switch (s->state) {
1955  case BT_BOUND:
1956  rfcomm_check_connection(s);
1957  break;
1958 
1959  default:
1960  rfcomm_process_rx(s);
1961  break;
1962  }
1963 
1964  rfcomm_process_dlcs(s);
1965 
1966  rfcomm_session_put(s);
1967  }
1968 
1969  rfcomm_unlock();
1970 }
1971 
1972 static int rfcomm_add_listener(bdaddr_t *ba)
1973 {
1974  struct sockaddr_l2 addr;
1975  struct socket *sock;
1976  struct sock *sk;
1977  struct rfcomm_session *s;
1978  int err = 0;
1979 
1980  /* Create socket */
1981  err = rfcomm_l2sock_create(&sock);
1982  if (err < 0) {
1983  BT_ERR("Create socket failed %d", err);
1984  return err;
1985  }
1986 
1987  /* Bind socket */
1988  bacpy(&addr.l2_bdaddr, ba);
1989  addr.l2_family = AF_BLUETOOTH;
1990  addr.l2_psm = cpu_to_le16(RFCOMM_PSM);
1991  addr.l2_cid = 0;
1992  err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1993  if (err < 0) {
1994  BT_ERR("Bind failed %d", err);
1995  goto failed;
1996  }
1997 
1998  /* Set L2CAP options */
1999  sk = sock->sk;
2000  lock_sock(sk);
2001  l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2002  release_sock(sk);
2003 
2004  /* Start listening on the socket */
2005  err = kernel_listen(sock, 10);
2006  if (err) {
2007  BT_ERR("Listen failed %d", err);
2008  goto failed;
2009  }
2010 
2011  /* Add listening session */
2012  s = rfcomm_session_add(sock, BT_LISTEN);
2013  if (!s)
2014  goto failed;
2015 
2016  rfcomm_session_hold(s);
2017  return 0;
2018 failed:
2019  sock_release(sock);
2020  return err;
2021 }
2022 
2023 static void rfcomm_kill_listener(void)
2024 {
2025  struct rfcomm_session *s;
2026  struct list_head *p, *n;
2027 
2028  BT_DBG("");
2029 
2030  list_for_each_safe(p, n, &session_list) {
2031  s = list_entry(p, struct rfcomm_session, list);
2032  rfcomm_session_del(s);
2033  }
2034 }
2035 
2036 static int rfcomm_run(void *unused)
2037 {
2038  BT_DBG("");
2039 
2040  set_user_nice(current, -10);
2041 
2042  rfcomm_add_listener(BDADDR_ANY);
2043 
2044  while (1) {
2045  set_current_state(TASK_INTERRUPTIBLE);
2046 
2047  if (kthread_should_stop())
2048  break;
2049 
2050  /* Process stuff */
2051  rfcomm_process_sessions();
2052 
2053  schedule();
2054  }
2055  __set_current_state(TASK_RUNNING);
2056 
2057  rfcomm_kill_listener();
2058 
2059  return 0;
2060 }
2061 
2062 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2063 {
2064  struct rfcomm_session *s;
2065  struct rfcomm_dlc *d;
2066  struct list_head *p, *n;
2067 
2068  BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2069 
2070  s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2071  if (!s)
2072  return;
2073 
2074  rfcomm_session_hold(s);
2075 
2076  list_for_each_safe(p, n, &s->dlcs) {
2077  d = list_entry(p, struct rfcomm_dlc, list);
2078 
2079  if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2080  rfcomm_dlc_clear_timer(d);
2081  if (status || encrypt == 0x00) {
2082  set_bit(RFCOMM_ENC_DROP, &d->flags);
2083  continue;
2084  }
2085  }
2086 
2087  if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2088  if (d->sec_level == BT_SECURITY_MEDIUM) {
2089  set_bit(RFCOMM_SEC_PENDING, &d->flags);
2090  rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2091  continue;
2092  } else if (d->sec_level == BT_SECURITY_HIGH) {
2093  set_bit(RFCOMM_ENC_DROP, &d->flags);
2094  continue;
2095  }
2096  }
2097 
2098  if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2099  continue;
2100 
2101  if (!status && hci_conn_check_secure(conn, d->sec_level))
2102  set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2103  else
2104  set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2105  }
2106 
2107  rfcomm_session_put(s);
2108 
2109  rfcomm_schedule();
2110 }
2111 
2112 static struct hci_cb rfcomm_cb = {
2113  .name = "RFCOMM",
2114  .security_cfm = rfcomm_security_cfm
2115 };
2116 
2117 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2118 {
2119  struct rfcomm_session *s;
2120 
2121  rfcomm_lock();
2122 
2123  list_for_each_entry(s, &session_list, list) {
2124  struct rfcomm_dlc *d;
2125  list_for_each_entry(d, &s->dlcs, list) {
2126  struct sock *sk = s->sock->sk;
2127 
2128  seq_printf(f, "%s %s %ld %d %d %d %d\n",
2129  batostr(&bt_sk(sk)->src),
2130  batostr(&bt_sk(sk)->dst),
2131  d->state, d->dlci, d->mtu,
2132  d->rx_credits, d->tx_credits);
2133  }
2134  }
2135 
2136  rfcomm_unlock();
2137 
2138  return 0;
2139 }
2140 
2141 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2142 {
2143  return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2144 }
2145 
2146 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2147  .open = rfcomm_dlc_debugfs_open,
2148  .read = seq_read,
2149  .llseek = seq_lseek,
2150  .release = single_release,
2151 };
2152 
2153 static struct dentry *rfcomm_dlc_debugfs;
2154 
2155 /* ---- Initialization ---- */
2156 static int __init rfcomm_init(void)
2157 {
2158  int err;
2159 
2160  hci_register_cb(&rfcomm_cb);
2161 
2162  rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2163  if (IS_ERR(rfcomm_thread)) {
2164  err = PTR_ERR(rfcomm_thread);
2165  goto unregister;
2166  }
2167 
2168  if (bt_debugfs) {
2169  rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2170  bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2171  if (!rfcomm_dlc_debugfs)
2172  BT_ERR("Failed to create RFCOMM debug file");
2173  }
2174 
2175  err = rfcomm_init_ttys();
2176  if (err < 0)
2177  goto stop;
2178 
2179  err = rfcomm_init_sockets();
2180  if (err < 0)
2181  goto cleanup;
2182 
2183  BT_INFO("RFCOMM ver %s", VERSION);
2184 
2185  return 0;
2186 
2187 cleanup:
2188  rfcomm_cleanup_ttys();
2189 
2190 stop:
2191  kthread_stop(rfcomm_thread);
2192 
2193 unregister:
2194  hci_unregister_cb(&rfcomm_cb);
2195 
2196  return err;
2197 }
2198 
2199 static void __exit rfcomm_exit(void)
2200 {
2201  debugfs_remove(rfcomm_dlc_debugfs);
2202 
2203  hci_unregister_cb(&rfcomm_cb);
2204 
2205  kthread_stop(rfcomm_thread);
2206 
2207  rfcomm_cleanup_ttys();
2208 
2209  rfcomm_cleanup_sockets();
2210 }
2211 
2212 module_init(rfcomm_init);
2213 module_exit(rfcomm_exit);
2214 
2215 module_param(disable_cfc, bool, 0644);
2216 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2217 
2218 module_param(channel_mtu, int, 0644);
2219 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2220 
2221 module_param(l2cap_mtu, uint, 0644);
2222 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2223 
2224 module_param(l2cap_ertm, bool, 0644);
2225 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2226 
2227 MODULE_AUTHOR("Marcel Holtmann <[email protected]>");
2228 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2229 MODULE_VERSION(VERSION);
2230 MODULE_LICENSE("GPL");
2231 MODULE_ALIAS("bt-proto-3");
Generated on Thu Jan 10 2013 12:57:58 for Linux Kernel by   doxygen 1.8.2