projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Avoid use of session socket after the session gets freed
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / rfcomm / core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
8e87d142
YH		 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 21 SOFTWARE IS DISCLAIMED.
22*/
23
1da177e4
LT		 24/*
25 * Bluetooth RFCOMM core.
1da177e4
LT		 26 */
27
1da177e4 28#include <linux/module.h>
aef7d97c 29#include <linux/debugfs.h>
a524eccc 30#include <linux/kthread.h>
1da177e4
LT		 31#include <asm/unaligned.h>
32
33#include <net/bluetooth/bluetooth.h>
34#include <net/bluetooth/hci_core.h>
35#include <net/bluetooth/l2cap.h>
36#include <net/bluetooth/rfcomm.h>
37
5f9018af 38#define VERSION "1.11"
56f3a40a 39
eb939922
RR		 40static bool disable_cfc;
41static bool l2cap_ertm;
98bcd08b 42static int channel_mtu = -1;
56f3a40a
MH		 43static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44
1da177e4
LT		 45static struct task_struct *rfcomm_thread;
46
4a3e2f71
AV		 47static DEFINE_MUTEX(rfcomm_mutex);
48#define rfcomm_lock() mutex_lock(&rfcomm_mutex)
49#define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
1da177e4 50
1da177e4
LT		 51
52static LIST_HEAD(session_list);
1da177e4 53
5436538f 54static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
1da177e4
LT		 55static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64
65static void rfcomm_process_connect(struct rfcomm_session *s);
66
63ce0900
LAD		 67static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68 bdaddr_t *dst,
69 u8 sec_level,
70 int *err);
1da177e4 71static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
8ff52f7d 72static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
1da177e4
LT		 73
74/* ---- RFCOMM frame parsing macros ---- */
75#define __get_dlci(b) ((b & 0xfc) >> 2)
76#define __get_channel(b) ((b & 0xf8) >> 3)
77#define __get_dir(b) ((b & 0x04) >> 2)
78#define __get_type(b) ((b & 0xef))
79
80#define __test_ea(b) ((b & 0x01))
81#define __test_cr(b) ((b & 0x02))
82#define __test_pf(b) ((b & 0x10))
83
84#define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
85#define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
86#define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
87#define __srv_channel(dlci) (dlci >> 1)
88#define __dir(dlci) (dlci & 0x01)
89
90#define __len8(len) (((len) << 1) | 1)
91#define __len16(len) ((len) << 1)
92
93/* MCC macros */
94#define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
95#define __get_mcc_type(b) ((b & 0xfc) >> 2)
96#define __get_mcc_len(b) ((b & 0xfe) >> 1)
97
98/* RPN macros */
3a5e903c 99#define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
1da177e4
LT		 100#define __get_rpn_data_bits(line) ((line) & 0x3)
101#define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
3a5e903c 102#define __get_rpn_parity(line) (((line) >> 3) & 0x7)
1da177e4 103
6039aa73 104static void rfcomm_schedule(void)
1da177e4
LT		 105{
106 if (!rfcomm_thread)
107 return;
1da177e4
LT		 108 wake_up_process(rfcomm_thread);
109}
110
1da177e4
LT		 111/* ---- RFCOMM FCS computation ---- */
112
408c1ce2 113/* reversed, 8-bit, poly=0x07 */
8e87d142 114static unsigned char rfcomm_crc_table[256] = {
408c1ce2
MH		 115 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
116 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
117 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
118 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
119
120 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
121 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
122 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
123 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
124
125 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
126 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
127 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
128 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
129
130 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
131 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
132 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
133 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
134
135 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
136 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
137 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
138 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
139
140 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
141 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
142 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
143 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
144
145 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
146 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
147 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
148 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
149
150 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
151 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
152 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
153 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
154};
155
1da177e4
LT		 156/* CRC on 2 bytes */
157#define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
158
8e87d142 159/* FCS on 2 bytes */
1da177e4
LT		 160static inline u8 __fcs(u8 *data)
161{
a02cec21 162 return 0xff - __crc(data);
1da177e4
LT		 163}
164
8e87d142 165/* FCS on 3 bytes */
1da177e4
LT		 166static inline u8 __fcs2(u8 *data)
167{
a02cec21 168 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
1da177e4
LT		 169}
170
171/* Check FCS */
172static inline int __check_fcs(u8 *data, int type, u8 fcs)
173{
174 u8 f = __crc(data);
175
176 if (type != RFCOMM_UIH)
177 f = rfcomm_crc_table[f ^ data[2]];
178
179 return rfcomm_crc_table[f ^ fcs] != 0xcf;
180}
181
182/* ---- L2CAP callbacks ---- */
183static void rfcomm_l2state_change(struct sock *sk)
184{
185 BT_DBG("%p state %d", sk, sk->sk_state);
534c92fd 186 rfcomm_schedule();
1da177e4
LT		 187}
188
189static void rfcomm_l2data_ready(struct sock *sk, int bytes)
190{
191 BT_DBG("%p bytes %d", sk, bytes);
534c92fd 192 rfcomm_schedule();
1da177e4
LT		 193}
194
195static int rfcomm_l2sock_create(struct socket **sock)
196{
197 int err;
198
199 BT_DBG("");
200
201 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
202 if (!err) {
203 struct sock *sk = (*sock)->sk;
204 sk->sk_data_ready = rfcomm_l2data_ready;
205 sk->sk_state_change = rfcomm_l2state_change;
206 }
207 return err;
208}
209
6039aa73 210static int rfcomm_check_security(struct rfcomm_dlc *d)
77db1980
MH		 211{
212 struct sock *sk = d->session->sock->sk;
8c1d787b
GP		 213 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
214
0684e5f9
MH		 215 __u8 auth_type;
216
217 switch (d->sec_level) {
218 case BT_SECURITY_HIGH:
219 auth_type = HCI_AT_GENERAL_BONDING_MITM;
220 break;
221 case BT_SECURITY_MEDIUM:
222 auth_type = HCI_AT_GENERAL_BONDING;
223 break;
224 default:
225 auth_type = HCI_AT_NO_BONDING;
226 break;
227 }
77db1980 228
8c1d787b 229 return hci_conn_security(conn->hcon, d->sec_level, auth_type);
77db1980
MH		 230}
231
9e726b17
LAD		 232static void rfcomm_session_timeout(unsigned long arg)
233{
234 struct rfcomm_session *s = (void *) arg;
235
236 BT_DBG("session %p state %ld", s, s->state);
237
238 set_bit(RFCOMM_TIMED_OUT, &s->flags);
534c92fd 239 rfcomm_schedule();
9e726b17
LAD		 240}
241
242static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
243{
244 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
245
08c30aca 246 mod_timer(&s->timer, jiffies + timeout);
9e726b17
LAD		 247}
248
249static void rfcomm_session_clear_timer(struct rfcomm_session *s)
250{
251 BT_DBG("session %p state %ld", s, s->state);
252
08c30aca 253 del_timer_sync(&s->timer);
9e726b17
LAD		 254}
255
1da177e4
LT		 256/* ---- RFCOMM DLCs ---- */
257static void rfcomm_dlc_timeout(unsigned long arg)
258{
259 struct rfcomm_dlc *d = (void *) arg;
260
261 BT_DBG("dlc %p state %ld", d, d->state);
262
263 set_bit(RFCOMM_TIMED_OUT, &d->flags);
264 rfcomm_dlc_put(d);
534c92fd 265 rfcomm_schedule();
1da177e4
LT		 266}
267
268static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
269{
270 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
271
272 if (!mod_timer(&d->timer, jiffies + timeout))
273 rfcomm_dlc_hold(d);
274}
275
276static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
277{
278 BT_DBG("dlc %p state %ld", d, d->state);
279
25cc4ae9 280 if (del_timer(&d->timer))
1da177e4
LT		 281 rfcomm_dlc_put(d);
282}
283
284static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
285{
286 BT_DBG("%p", d);
287
288 d->state = BT_OPEN;
289 d->flags = 0;
290 d->mscex = 0;
183f732c 291 d->sec_level = BT_SECURITY_LOW;
1da177e4
LT		 292 d->mtu = RFCOMM_DEFAULT_MTU;
293 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
294
295 d->cfc = RFCOMM_CFC_DISABLED;
296 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
297}
298
dd0fc66f 299struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
1da177e4 300{
25ea6db0
MH		 301 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
302
1da177e4
LT		 303 if (!d)
304 return NULL;
1da177e4 305
b24b8a24 306 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
1da177e4
LT		 307
308 skb_queue_head_init(&d->tx_queue);
309 spin_lock_init(&d->lock);
310 atomic_set(&d->refcnt, 1);
311
312 rfcomm_dlc_clear_state(d);
8e87d142 313
1da177e4 314 BT_DBG("%p", d);
25ea6db0 315
1da177e4
LT		 316 return d;
317}
318
319void rfcomm_dlc_free(struct rfcomm_dlc *d)
320{
321 BT_DBG("%p", d);
322
323 skb_queue_purge(&d->tx_queue);
324 kfree(d);
325}
326
327static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
328{
329 BT_DBG("dlc %p session %p", d, s);
330
9e726b17 331 rfcomm_session_clear_timer(s);
1da177e4
LT		 332 rfcomm_dlc_hold(d);
333 list_add(&d->list, &s->dlcs);
334 d->session = s;
335}
336
337static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
338{
339 struct rfcomm_session *s = d->session;
340
341 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
342
343 list_del(&d->list);
344 d->session = NULL;
345 rfcomm_dlc_put(d);
346
9e726b17
LAD		 347 if (list_empty(&s->dlcs))
348 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
1da177e4
LT		 349}
350
351static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
352{
353 struct rfcomm_dlc *d;
1da177e4 354
8035ded4 355 list_for_each_entry(d, &s->dlcs, list)
1da177e4
LT		 356 if (d->dlci == dlci)
357 return d;
8035ded4 358
1da177e4
LT		 359 return NULL;
360}
361
362static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
363{
364 struct rfcomm_session *s;
365 int err = 0;
366 u8 dlci;
367
6ed93dc6
AE		 368 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
369 d, d->state, src, dst, channel);
1da177e4
LT		 370
371 if (channel < 1 || channel > 30)
372 return -EINVAL;
373
374 if (d->state != BT_OPEN && d->state != BT_CLOSED)
375 return 0;
376
377 s = rfcomm_session_get(src, dst);
378 if (!s) {
63ce0900 379 s = rfcomm_session_create(src, dst, d->sec_level, &err);
1da177e4
LT		 380 if (!s)
381 return err;
382 }
383
384 dlci = __dlci(!s->initiator, channel);
385
386 /* Check if DLCI already exists */
387 if (rfcomm_dlc_get(s, dlci))
388 return -EBUSY;
389
390 rfcomm_dlc_clear_state(d);
391
392 d->dlci = dlci;
393 d->addr = __addr(s->initiator, dlci);
394 d->priority = 7;
395
77db1980 396 d->state = BT_CONFIG;
1da177e4
LT		 397 rfcomm_dlc_link(s, d);
398
77db1980
MH		 399 d->out = 1;
400
1da177e4
LT		 401 d->mtu = s->mtu;
402 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
403
77db1980 404 if (s->state == BT_CONNECTED) {
9f2c8a03 405 if (rfcomm_check_security(d))
77db1980 406 rfcomm_send_pn(s, 1, d);
8c1b2355
MH		 407 else
408 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
77db1980
MH		 409 }
410
1da177e4 411 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
77db1980 412
1da177e4
LT		 413 return 0;
414}
415
416int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
417{
418 int r;
419
420 rfcomm_lock();
421
422 r = __rfcomm_dlc_open(d, src, dst, channel);
423
424 rfcomm_unlock();
425 return r;
426}
427
428static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
429{
430 struct rfcomm_session *s = d->session;
431 if (!s)
432 return 0;
433
434 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
435 d, d->state, d->dlci, err, s);
436
437 switch (d->state) {
1da177e4 438 case BT_CONNECT:
bb23c0ab
MH		 439 case BT_CONFIG:
440 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
441 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
534c92fd 442 rfcomm_schedule();
bb23c0ab
MH		 443 break;
444 }
445 /* Fall through */
446
447 case BT_CONNECTED:
1da177e4
LT		 448 d->state = BT_DISCONN;
449 if (skb_queue_empty(&d->tx_queue)) {
450 rfcomm_send_disc(s, d->dlci);
451 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
452 } else {
453 rfcomm_queue_disc(d);
454 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
455 }
456 break;
457
bb23c0ab 458 case BT_OPEN:
8bf47941 459 case BT_CONNECT2:
bb23c0ab
MH		 460 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
461 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
534c92fd 462 rfcomm_schedule();
bb23c0ab
MH		 463 break;
464 }
465 /* Fall through */
466
1da177e4
LT		 467 default:
468 rfcomm_dlc_clear_timer(d);
469
470 rfcomm_dlc_lock(d);
471 d->state = BT_CLOSED;
1905f6c7 472 d->state_change(d, err);
4c8411f8 473 rfcomm_dlc_unlock(d);
1da177e4
LT		 474
475 skb_queue_purge(&d->tx_queue);
1da177e4
LT		 476 rfcomm_dlc_unlink(d);
477 }
478
479 return 0;
480}
481
482int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
483{
c06f7d53
DJ		 484 int r = 0;
485 struct rfcomm_dlc *d_list;
486 struct rfcomm_session *s, *s_list;
487
488 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
1da177e4
LT		 489
490 rfcomm_lock();
491
c06f7d53
DJ		 492 s = d->session;
493 if (!s)
494 goto no_session;
495
496 /* after waiting on the mutex check the session still exists
497 * then check the dlc still exists
498 */
499 list_for_each_entry(s_list, &session_list, list) {
500 if (s_list == s) {
501 list_for_each_entry(d_list, &s->dlcs, list) {
502 if (d_list == d) {
503 r = __rfcomm_dlc_close(d, err);
504 break;
505 }
506 }
507 break;
508 }
509 }
1da177e4 510
c06f7d53 511no_session:
1da177e4
LT		 512 rfcomm_unlock();
513 return r;
514}
515
516int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
517{
518 int len = skb->len;
519
520 if (d->state != BT_CONNECTED)
521 return -ENOTCONN;
522
523 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
524
525 if (len > d->mtu)
526 return -EINVAL;
527
528 rfcomm_make_uih(skb, d->addr);
529 skb_queue_tail(&d->tx_queue, skb);
530
531 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
534c92fd 532 rfcomm_schedule();
1da177e4
LT		 533 return len;
534}
535
b5606c2d 536void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
1da177e4
LT		 537{
538 BT_DBG("dlc %p state %ld", d, d->state);
539
540 if (!d->cfc) {
541 d->v24_sig |= RFCOMM_V24_FC;
542 set_bit(RFCOMM_MSC_PENDING, &d->flags);
543 }
534c92fd 544 rfcomm_schedule();
1da177e4
LT		 545}
546
b5606c2d 547void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
1da177e4
LT		 548{
549 BT_DBG("dlc %p state %ld", d, d->state);
550
551 if (!d->cfc) {
552 d->v24_sig &= ~RFCOMM_V24_FC;
553 set_bit(RFCOMM_MSC_PENDING, &d->flags);
554 }
534c92fd 555 rfcomm_schedule();
1da177e4
LT		 556}
557
8e87d142 558/*
1da177e4
LT		 559 Set/get modem status functions use _local_ status i.e. what we report
560 to the other side.
561 Remote status is provided by dlc->modem_status() callback.
562 */
563int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
564{
8e87d142 565 BT_DBG("dlc %p state %ld v24_sig 0x%x",
1da177e4
LT		 566 d, d->state, v24_sig);
567
568 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
569 v24_sig |= RFCOMM_V24_FC;
570 else
571 v24_sig &= ~RFCOMM_V24_FC;
8e87d142 572
1da177e4
LT		 573 d->v24_sig = v24_sig;
574
575 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
534c92fd 576 rfcomm_schedule();
1da177e4
LT		 577
578 return 0;
579}
580
581int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
582{
8e87d142 583 BT_DBG("dlc %p state %ld v24_sig 0x%x",
1da177e4
LT		 584 d, d->state, d->v24_sig);
585
586 *v24_sig = d->v24_sig;
587 return 0;
588}
589
590/* ---- RFCOMM sessions ---- */
591static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
592{
25ea6db0
MH		 593 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
594
1da177e4
LT		 595 if (!s)
596 return NULL;
1da177e4
LT		 597
598 BT_DBG("session %p sock %p", s, sock);
599
9e726b17
LAD		 600 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
601
1da177e4
LT		 602 INIT_LIST_HEAD(&s->dlcs);
603 s->state = state;
604 s->sock = sock;
605
606 s->mtu = RFCOMM_DEFAULT_MTU;
7c2660b0 607 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
1da177e4
LT		 608
609 /* Do not increment module usage count for listening sessions.
610 * Otherwise we won't be able to unload the module. */
611 if (state != BT_LISTEN)
612 if (!try_module_get(THIS_MODULE)) {
613 kfree(s);
614 return NULL;
615 }
616
617 list_add(&s->list, &session_list);
618
619 return s;
620}
621
8ff52f7d 622static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
1da177e4
LT		 623{
624 int state = s->state;
625
626 BT_DBG("session %p state %ld", s, s->state);
627
628 list_del(&s->list);
629
9e726b17 630 rfcomm_session_clear_timer(s);
1da177e4
LT		 631 sock_release(s->sock);
632 kfree(s);
633
634 if (state != BT_LISTEN)
635 module_put(THIS_MODULE);
8ff52f7d
DJ		 636
637 return NULL;
1da177e4
LT		 638}
639
640static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
641{
642 struct rfcomm_session *s;
643 struct list_head *p, *n;
644 struct bt_sock *sk;
645 list_for_each_safe(p, n, &session_list) {
646 s = list_entry(p, struct rfcomm_session, list);
8e87d142 647 sk = bt_sk(s->sock->sk);
1da177e4
LT		 648
649 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
650 !bacmp(&sk->dst, dst))
651 return s;
652 }
653 return NULL;
654}
655
8ff52f7d
DJ		 656static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
657 int err)
1da177e4
LT		 658{
659 struct rfcomm_dlc *d;
660 struct list_head *p, *n;
661
1da177e4
LT		 662 s->state = BT_CLOSED;
663
24fd642c
DJ		 664 BT_DBG("session %p state %ld err %d", s, s->state, err);
665
1da177e4
LT		 666 /* Close all dlcs */
667 list_for_each_safe(p, n, &s->dlcs) {
668 d = list_entry(p, struct rfcomm_dlc, list);
669 d->state = BT_CLOSED;
670 __rfcomm_dlc_close(d, err);
671 }
672
9e726b17 673 rfcomm_session_clear_timer(s);
08c30aca 674 return rfcomm_session_del(s);
1da177e4
LT		 675}
676
63ce0900
LAD		 677static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
678 bdaddr_t *dst,
679 u8 sec_level,
680 int *err)
1da177e4
LT		 681{
682 struct rfcomm_session *s = NULL;
683 struct sockaddr_l2 addr;
684 struct socket *sock;
685 struct sock *sk;
686
6ed93dc6 687 BT_DBG("%pMR -> %pMR", src, dst);
1da177e4
LT		 688
689 *err = rfcomm_l2sock_create(&sock);
690 if (*err < 0)
691 return NULL;
692
693 bacpy(&addr.l2_bdaddr, src);
694 addr.l2_family = AF_BLUETOOTH;
695 addr.l2_psm = 0;
37e62f55 696 addr.l2_cid = 0;
48db9ca4 697 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1da177e4
LT		 698 if (*err < 0)
699 goto failed;
700
701 /* Set L2CAP options */
702 sk = sock->sk;
703 lock_sock(sk);
0c1bc5c6 704 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
47d1ec61 705 l2cap_pi(sk)->chan->sec_level = sec_level;
eae38eed 706 if (l2cap_ertm)
0c1bc5c6 707 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
1da177e4
LT		 708 release_sock(sk);
709
710 s = rfcomm_session_add(sock, BT_BOUND);
711 if (!s) {
712 *err = -ENOMEM;
713 goto failed;
714 }
715
1da177e4
LT		 716 s->initiator = 1;
717
718 bacpy(&addr.l2_bdaddr, dst);
719 addr.l2_family = AF_BLUETOOTH;
5bcb8094 720 addr.l2_psm = __constant_cpu_to_le16(RFCOMM_PSM);
37e62f55 721 addr.l2_cid = 0;
48db9ca4 722 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
b4c612a4 723 if (*err == 0 || *err == -EINPROGRESS)
1da177e4
LT		 724 return s;
725
8ff52f7d 726 return rfcomm_session_del(s);
1da177e4
LT		 727
728failed:
729 sock_release(sock);
730 return NULL;
731}
732
733void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
734{
735 struct sock *sk = s->sock->sk;
736 if (src)
737 bacpy(src, &bt_sk(sk)->src);
738 if (dst)
739 bacpy(dst, &bt_sk(sk)->dst);
740}
741
742/* ---- RFCOMM frame sending ---- */
5436538f 743static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
1da177e4 744{
1da177e4
LT		 745 struct kvec iv = { data, len };
746 struct msghdr msg;
747
5436538f 748 BT_DBG("session %p len %d", s, len);
1da177e4
LT		 749
750 memset(&msg, 0, sizeof(msg));
751
5436538f 752 return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
1da177e4
LT		 753}
754
262038fc
LAD		 755static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
756{
757 BT_DBG("%p cmd %u", s, cmd->ctrl);
758
5436538f 759 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
262038fc
LAD		 760}
761
1da177e4
LT		 762static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
763{
764 struct rfcomm_cmd cmd;
765
766 BT_DBG("%p dlci %d", s, dlci);
767
768 cmd.addr = __addr(s->initiator, dlci);
769 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
770 cmd.len = __len8(0);
771 cmd.fcs = __fcs2((u8 *) &cmd);
772
262038fc 773 return rfcomm_send_cmd(s, &cmd);
1da177e4
LT		 774}
775
776static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
777{
778 struct rfcomm_cmd cmd;
779
780 BT_DBG("%p dlci %d", s, dlci);
781
782 cmd.addr = __addr(!s->initiator, dlci);
783 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
784 cmd.len = __len8(0);
785 cmd.fcs = __fcs2((u8 *) &cmd);
786
262038fc 787 return rfcomm_send_cmd(s, &cmd);
1da177e4
LT		 788}
789
790static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
791{
792 struct rfcomm_cmd cmd;
793
794 BT_DBG("%p dlci %d", s, dlci);
795
796 cmd.addr = __addr(s->initiator, dlci);
797 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
798 cmd.len = __len8(0);
799 cmd.fcs = __fcs2((u8 *) &cmd);
800
262038fc 801 return rfcomm_send_cmd(s, &cmd);
1da177e4
LT		 802}
803
804static int rfcomm_queue_disc(struct rfcomm_dlc *d)
805{
806 struct rfcomm_cmd *cmd;
807 struct sk_buff *skb;
808
809 BT_DBG("dlc %p dlci %d", d, d->dlci);
810
811 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
812 if (!skb)
813 return -ENOMEM;
814
815 cmd = (void *) __skb_put(skb, sizeof(*cmd));
816 cmd->addr = d->addr;
817 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
818 cmd->len = __len8(0);
819 cmd->fcs = __fcs2((u8 *) cmd);
820
821 skb_queue_tail(&d->tx_queue, skb);
534c92fd 822 rfcomm_schedule();
1da177e4
LT		 823 return 0;
824}
825
826static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
827{
828 struct rfcomm_cmd cmd;
829
830 BT_DBG("%p dlci %d", s, dlci);
831
832 cmd.addr = __addr(!s->initiator, dlci);
833 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
834 cmd.len = __len8(0);
835 cmd.fcs = __fcs2((u8 *) &cmd);
836
262038fc 837 return rfcomm_send_cmd(s, &cmd);
1da177e4
LT		 838}
839
840static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
841{
842 struct rfcomm_hdr *hdr;
843 struct rfcomm_mcc *mcc;
844 u8 buf[16], *ptr = buf;
845
846 BT_DBG("%p cr %d type %d", s, cr, type);
847
848 hdr = (void *) ptr; ptr += sizeof(*hdr);
849 hdr->addr = __addr(s->initiator, 0);
850 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
851 hdr->len = __len8(sizeof(*mcc) + 1);
852
853 mcc = (void *) ptr; ptr += sizeof(*mcc);
854 mcc->type = __mcc_type(cr, RFCOMM_NSC);
855 mcc->len = __len8(1);
856
857 /* Type that we didn't like */
858 *ptr = __mcc_type(cr, type); ptr++;
859
860 *ptr = __fcs(buf); ptr++;
861
5436538f 862 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 863}
864
865static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
866{
867 struct rfcomm_hdr *hdr;
868 struct rfcomm_mcc *mcc;
869 struct rfcomm_pn *pn;
870 u8 buf[16], *ptr = buf;
871
872 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
873
874 hdr = (void *) ptr; ptr += sizeof(*hdr);
875 hdr->addr = __addr(s->initiator, 0);
876 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
877 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
878
879 mcc = (void *) ptr; ptr += sizeof(*mcc);
880 mcc->type = __mcc_type(cr, RFCOMM_PN);
881 mcc->len = __len8(sizeof(*pn));
882
883 pn = (void *) ptr; ptr += sizeof(*pn);
884 pn->dlci = d->dlci;
885 pn->priority = d->priority;
886 pn->ack_timer = 0;
887 pn->max_retrans = 0;
888
889 if (s->cfc) {
890 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
891 pn->credits = RFCOMM_DEFAULT_CREDITS;
892 } else {
893 pn->flow_ctrl = 0;
894 pn->credits = 0;
895 }
896
98bcd08b 897 if (cr && channel_mtu >= 0)
b4324b5d 898 pn->mtu = cpu_to_le16(channel_mtu);
98bcd08b 899 else
b4324b5d 900 pn->mtu = cpu_to_le16(d->mtu);
1da177e4
LT		 901
902 *ptr = __fcs(buf); ptr++;
903
5436538f 904 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 905}
906
3a5e903c
S		 907int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
908 u8 bit_rate, u8 data_bits, u8 stop_bits,
8e87d142 909 u8 parity, u8 flow_ctrl_settings,
3a5e903c 910 u8 xon_char, u8 xoff_char, u16 param_mask)
1da177e4
LT		 911{
912 struct rfcomm_hdr *hdr;
913 struct rfcomm_mcc *mcc;
914 struct rfcomm_rpn *rpn;
915 u8 buf[16], *ptr = buf;
916
917 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
8e87d142
YH		 918 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
919 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
3a5e903c 920 flow_ctrl_settings, xon_char, xoff_char, param_mask);
1da177e4
LT		 921
922 hdr = (void *) ptr; ptr += sizeof(*hdr);
923 hdr->addr = __addr(s->initiator, 0);
924 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
925 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
926
927 mcc = (void *) ptr; ptr += sizeof(*mcc);
928 mcc->type = __mcc_type(cr, RFCOMM_RPN);
929 mcc->len = __len8(sizeof(*rpn));
930
931 rpn = (void *) ptr; ptr += sizeof(*rpn);
932 rpn->dlci = __addr(1, dlci);
933 rpn->bit_rate = bit_rate;
934 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
935 rpn->flow_ctrl = flow_ctrl_settings;
936 rpn->xon_char = xon_char;
937 rpn->xoff_char = xoff_char;
e8db8c99 938 rpn->param_mask = cpu_to_le16(param_mask);
1da177e4
LT		 939
940 *ptr = __fcs(buf); ptr++;
941
5436538f 942 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 943}
944
945static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
946{
947 struct rfcomm_hdr *hdr;
948 struct rfcomm_mcc *mcc;
949 struct rfcomm_rls *rls;
950 u8 buf[16], *ptr = buf;
951
952 BT_DBG("%p cr %d status 0x%x", s, cr, status);
953
954 hdr = (void *) ptr; ptr += sizeof(*hdr);
955 hdr->addr = __addr(s->initiator, 0);
956 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
957 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
958
959 mcc = (void *) ptr; ptr += sizeof(*mcc);
960 mcc->type = __mcc_type(cr, RFCOMM_RLS);
961 mcc->len = __len8(sizeof(*rls));
962
963 rls = (void *) ptr; ptr += sizeof(*rls);
964 rls->dlci = __addr(1, dlci);
965 rls->status = status;
966
967 *ptr = __fcs(buf); ptr++;
968
5436538f 969 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 970}
971
972static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
973{
974 struct rfcomm_hdr *hdr;
975 struct rfcomm_mcc *mcc;
976 struct rfcomm_msc *msc;
977 u8 buf[16], *ptr = buf;
978
979 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
980
981 hdr = (void *) ptr; ptr += sizeof(*hdr);
982 hdr->addr = __addr(s->initiator, 0);
983 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
984 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
985
986 mcc = (void *) ptr; ptr += sizeof(*mcc);
987 mcc->type = __mcc_type(cr, RFCOMM_MSC);
988 mcc->len = __len8(sizeof(*msc));
989
990 msc = (void *) ptr; ptr += sizeof(*msc);
991 msc->dlci = __addr(1, dlci);
992 msc->v24_sig = v24_sig | 0x01;
993
994 *ptr = __fcs(buf); ptr++;
995
5436538f 996 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 997}
998
999static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1000{
1001 struct rfcomm_hdr *hdr;
1002 struct rfcomm_mcc *mcc;
1003 u8 buf[16], *ptr = buf;
1004
1005 BT_DBG("%p cr %d", s, cr);
1006
1007 hdr = (void *) ptr; ptr += sizeof(*hdr);
1008 hdr->addr = __addr(s->initiator, 0);
1009 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1010 hdr->len = __len8(sizeof(*mcc));
1011
1012 mcc = (void *) ptr; ptr += sizeof(*mcc);
1013 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1014 mcc->len = __len8(0);
1015
1016 *ptr = __fcs(buf); ptr++;
1017
5436538f 1018 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 1019}
1020
1021static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1022{
1023 struct rfcomm_hdr *hdr;
1024 struct rfcomm_mcc *mcc;
1025 u8 buf[16], *ptr = buf;
1026
1027 BT_DBG("%p cr %d", s, cr);
1028
1029 hdr = (void *) ptr; ptr += sizeof(*hdr);
1030 hdr->addr = __addr(s->initiator, 0);
1031 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1032 hdr->len = __len8(sizeof(*mcc));
1033
1034 mcc = (void *) ptr; ptr += sizeof(*mcc);
1035 mcc->type = __mcc_type(cr, RFCOMM_FCON);
1036 mcc->len = __len8(0);
1037
1038 *ptr = __fcs(buf); ptr++;
1039
5436538f 1040 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 1041}
1042
1043static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1044{
1045 struct socket *sock = s->sock;
1046 struct kvec iv[3];
1047 struct msghdr msg;
1048 unsigned char hdr[5], crc[1];
1049
1050 if (len > 125)
1051 return -EINVAL;
1052
1053 BT_DBG("%p cr %d", s, cr);
1054
1055 hdr[0] = __addr(s->initiator, 0);
1056 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1057 hdr[2] = 0x01 | ((len + 2) << 1);
1058 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1059 hdr[4] = 0x01 | (len << 1);
1060
1061 crc[0] = __fcs(hdr);
1062
1063 iv[0].iov_base = hdr;
1064 iv[0].iov_len = 5;
1065 iv[1].iov_base = pattern;
1066 iv[1].iov_len = len;
1067 iv[2].iov_base = crc;
1068 iv[2].iov_len = 1;
1069
1070 memset(&msg, 0, sizeof(msg));
1071
1072 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1073}
1074
1075static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1076{
1077 struct rfcomm_hdr *hdr;
1078 u8 buf[16], *ptr = buf;
1079
1080 BT_DBG("%p addr %d credits %d", s, addr, credits);
1081
1082 hdr = (void *) ptr; ptr += sizeof(*hdr);
1083 hdr->addr = addr;
1084 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1085 hdr->len = __len8(0);
1086
1087 *ptr = credits; ptr++;
1088
1089 *ptr = __fcs(buf); ptr++;
1090
5436538f 1091 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 1092}
1093
1094static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1095{
1096 struct rfcomm_hdr *hdr;
1097 int len = skb->len;
1098 u8 *crc;
1099
1100 if (len > 127) {
1101 hdr = (void *) skb_push(skb, 4);
b4324b5d 1102 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1da177e4
LT		 1103 } else {
1104 hdr = (void *) skb_push(skb, 3);
1105 hdr->len = __len8(len);
1106 }
1107 hdr->addr = addr;
1108 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1109
1110 crc = skb_put(skb, 1);
1111 *crc = __fcs((void *) hdr);
1112}
1113
1114/* ---- RFCOMM frame reception ---- */
8ff52f7d 1115static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1da177e4
LT		 1116{
1117 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1118
1119 if (dlci) {
1120 /* Data channel */
1121 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1122 if (!d) {
1123 rfcomm_send_dm(s, dlci);
8ff52f7d 1124 return s;
1da177e4
LT		 1125 }
1126
1127 switch (d->state) {
1128 case BT_CONNECT:
1129 rfcomm_dlc_clear_timer(d);
1130
1131 rfcomm_dlc_lock(d);
1132 d->state = BT_CONNECTED;
1133 d->state_change(d, 0);
1134 rfcomm_dlc_unlock(d);
1135
1136 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1137 break;
1138
1139 case BT_DISCONN:
1140 d->state = BT_CLOSED;
1141 __rfcomm_dlc_close(d, 0);
9cf5b0ea
MH		 1142
1143 if (list_empty(&s->dlcs)) {
1144 s->state = BT_DISCONN;
1145 rfcomm_send_disc(s, 0);
79e65478 1146 rfcomm_session_clear_timer(s);
9cf5b0ea
MH		 1147 }
1148
1da177e4
LT		 1149 break;
1150 }
1151 } else {
1152 /* Control channel */
1153 switch (s->state) {
1154 case BT_CONNECT:
1155 s->state = BT_CONNECTED;
1156 rfcomm_process_connect(s);
1157 break;
9cf5b0ea
MH		 1158
1159 case BT_DISCONN:
8ff52f7d 1160 s = rfcomm_session_close(s, ECONNRESET);
9cf5b0ea 1161 break;
1da177e4
LT		 1162 }
1163 }
8ff52f7d 1164 return s;
1da177e4
LT		 1165}
1166
8ff52f7d 1167static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1da177e4
LT		 1168{
1169 int err = 0;
1170
1171 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1172
1173 if (dlci) {
1174 /* Data DLC */
1175 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1176 if (d) {
1177 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1178 err = ECONNREFUSED;
1179 else
1180 err = ECONNRESET;
1181
1182 d->state = BT_CLOSED;
1183 __rfcomm_dlc_close(d, err);
1184 }
1185 } else {
1186 if (s->state == BT_CONNECT)
1187 err = ECONNREFUSED;
1188 else
1189 err = ECONNRESET;
1190
8ff52f7d 1191 s = rfcomm_session_close(s, err);
1da177e4 1192 }
8ff52f7d 1193 return s;
1da177e4
LT		 1194}
1195
8ff52f7d
DJ		 1196static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1197 u8 dlci)
1da177e4
LT		 1198{
1199 int err = 0;
1200
1201 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1202
1203 if (dlci) {
1204 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1205 if (d) {
1206 rfcomm_send_ua(s, dlci);
1207
1208 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1209 err = ECONNREFUSED;
1210 else
1211 err = ECONNRESET;
1212
1213 d->state = BT_CLOSED;
1214 __rfcomm_dlc_close(d, err);
8e87d142 1215 } else
1da177e4 1216 rfcomm_send_dm(s, dlci);
8e87d142 1217
1da177e4
LT		 1218 } else {
1219 rfcomm_send_ua(s, 0);
1220
1221 if (s->state == BT_CONNECT)
1222 err = ECONNREFUSED;
1223 else
1224 err = ECONNRESET;
1225
8ff52f7d 1226 s = rfcomm_session_close(s, err);
1da177e4 1227 }
8ff52f7d 1228 return s;
1da177e4
LT		 1229}
1230
bb23c0ab 1231void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1da177e4 1232{
300b9397 1233 struct sock *sk = d->session->sock->sk;
8c1d787b 1234 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
300b9397 1235
1da177e4
LT		 1236 BT_DBG("dlc %p", d);
1237
1238 rfcomm_send_ua(d->session, d->dlci);
1239
e2139b32
JH		 1240 rfcomm_dlc_clear_timer(d);
1241
1da177e4
LT		 1242 rfcomm_dlc_lock(d);
1243 d->state = BT_CONNECTED;
1244 d->state_change(d, 0);
1245 rfcomm_dlc_unlock(d);
1246
9f2c8a03 1247 if (d->role_switch)
8c1d787b 1248 hci_conn_switch_role(conn->hcon, 0x00);
300b9397 1249
1da177e4
LT		 1250 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1251}
1252
bb23c0ab
MH		 1253static void rfcomm_check_accept(struct rfcomm_dlc *d)
1254{
9f2c8a03 1255 if (rfcomm_check_security(d)) {
bb23c0ab
MH		 1256 if (d->defer_setup) {
1257 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1258 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
8bf47941
MH		 1259
1260 rfcomm_dlc_lock(d);
1261 d->state = BT_CONNECT2;
1262 d->state_change(d, 0);
1263 rfcomm_dlc_unlock(d);
bb23c0ab
MH		 1264 } else
1265 rfcomm_dlc_accept(d);
8c1b2355
MH		 1266 } else {
1267 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1268 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
bb23c0ab
MH		 1269 }
1270}
1271
1da177e4
LT		 1272static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1273{
1274 struct rfcomm_dlc *d;
1275 u8 channel;
1276
1277 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1278
1279 if (!dlci) {
1280 rfcomm_send_ua(s, 0);
1281
1282 if (s->state == BT_OPEN) {
1283 s->state = BT_CONNECTED;
1284 rfcomm_process_connect(s);
1285 }
1286 return 0;
1287 }
1288
1289 /* Check if DLC exists */
1290 d = rfcomm_dlc_get(s, dlci);
1291 if (d) {
1292 if (d->state == BT_OPEN) {
1293 /* DLC was previously opened by PN request */
bb23c0ab 1294 rfcomm_check_accept(d);
1da177e4
LT		 1295 }
1296 return 0;
1297 }
1298
1299 /* Notify socket layer about incoming connection */
1300 channel = __srv_channel(dlci);
1301 if (rfcomm_connect_ind(s, channel, &d)) {
1302 d->dlci = dlci;
1303 d->addr = __addr(s->initiator, dlci);
1304 rfcomm_dlc_link(s, d);
1305
bb23c0ab 1306 rfcomm_check_accept(d);
1da177e4
LT		 1307 } else {
1308 rfcomm_send_dm(s, dlci);
1309 }
1310
1311 return 0;
1312}
1313
1314static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1315{
1316 struct rfcomm_session *s = d->session;
1317
8e87d142 1318 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1da177e4
LT		 1319 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1320
7c2660b0
MH		 1321 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1322 pn->flow_ctrl == 0xe0) {
1323 d->cfc = RFCOMM_CFC_ENABLED;
1da177e4
LT		 1324 d->tx_credits = pn->credits;
1325 } else {
7c2660b0 1326 d->cfc = RFCOMM_CFC_DISABLED;
1da177e4
LT		 1327 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1328 }
1329
7c2660b0
MH		 1330 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1331 s->cfc = d->cfc;
1332
1da177e4
LT		 1333 d->priority = pn->priority;
1334
b4324b5d 1335 d->mtu = __le16_to_cpu(pn->mtu);
98bcd08b
MH		 1336
1337 if (cr && d->mtu > s->mtu)
1338 d->mtu = s->mtu;
1da177e4
LT		 1339
1340 return 0;
1341}
1342
1343static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1344{
1345 struct rfcomm_pn *pn = (void *) skb->data;
1346 struct rfcomm_dlc *d;
1347 u8 dlci = pn->dlci;
1348
1349 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1350
1351 if (!dlci)
1352 return 0;
1353
1354 d = rfcomm_dlc_get(s, dlci);
1355 if (d) {
1356 if (cr) {
1357 /* PN request */
1358 rfcomm_apply_pn(d, cr, pn);
1359 rfcomm_send_pn(s, 0, d);
1360 } else {
1361 /* PN response */
1362 switch (d->state) {
1363 case BT_CONFIG:
1364 rfcomm_apply_pn(d, cr, pn);
1365
1366 d->state = BT_CONNECT;
1367 rfcomm_send_sabm(s, d->dlci);
1368 break;
1369 }
1370 }
1371 } else {
1372 u8 channel = __srv_channel(dlci);
1373
1374 if (!cr)
1375 return 0;
1376
1377 /* PN request for non existing DLC.
1378 * Assume incoming connection. */
1379 if (rfcomm_connect_ind(s, channel, &d)) {
1380 d->dlci = dlci;
1381 d->addr = __addr(s->initiator, dlci);
1382 rfcomm_dlc_link(s, d);
1383
1384 rfcomm_apply_pn(d, cr, pn);
1385
1386 d->state = BT_OPEN;
1387 rfcomm_send_pn(s, 0, d);
1388 } else {
1389 rfcomm_send_dm(s, dlci);
1390 }
1391 }
1392 return 0;
1393}
1394
1395static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1396{
1397 struct rfcomm_rpn *rpn = (void *) skb->data;
1398 u8 dlci = __get_dlci(rpn->dlci);
1399
1400 u8 bit_rate = 0;
1401 u8 data_bits = 0;
1402 u8 stop_bits = 0;
1403 u8 parity = 0;
1404 u8 flow_ctrl = 0;
1405 u8 xon_char = 0;
1406 u8 xoff_char = 0;
1407 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
3a5e903c
S		 1408
1409 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1410 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1411 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1412
1413 if (!cr)
1da177e4 1414 return 0;
3a5e903c 1415
1da177e4 1416 if (len == 1) {
08601469
YK		 1417 /* This is a request, return default (according to ETSI TS 07.10) settings */
1418 bit_rate = RFCOMM_RPN_BR_9600;
1da177e4
LT		 1419 data_bits = RFCOMM_RPN_DATA_8;
1420 stop_bits = RFCOMM_RPN_STOP_1;
1421 parity = RFCOMM_RPN_PARITY_NONE;
1422 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1423 xon_char = RFCOMM_RPN_XON_CHAR;
1424 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1da177e4
LT		 1425 goto rpn_out;
1426 }
3a5e903c
S		 1427
1428 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1429 * no parity, no flow control lines, normal XON/XOFF chars */
1430
e8db8c99 1431 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1da177e4 1432 bit_rate = rpn->bit_rate;
08601469 1433 if (bit_rate > RFCOMM_RPN_BR_230400) {
1da177e4 1434 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
08601469 1435 bit_rate = RFCOMM_RPN_BR_9600;
1da177e4
LT		 1436 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1437 }
1438 }
3a5e903c 1439
e8db8c99 1440 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1da177e4
LT		 1441 data_bits = __get_rpn_data_bits(rpn->line_settings);
1442 if (data_bits != RFCOMM_RPN_DATA_8) {
1443 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1444 data_bits = RFCOMM_RPN_DATA_8;
1445 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1446 }
1447 }
3a5e903c 1448
e8db8c99 1449 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1da177e4
LT		 1450 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1451 if (stop_bits != RFCOMM_RPN_STOP_1) {
1452 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1453 stop_bits = RFCOMM_RPN_STOP_1;
1454 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1455 }
1456 }
3a5e903c 1457
e8db8c99 1458 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1da177e4
LT		 1459 parity = __get_rpn_parity(rpn->line_settings);
1460 if (parity != RFCOMM_RPN_PARITY_NONE) {
1461 BT_DBG("RPN parity mismatch 0x%x", parity);
1462 parity = RFCOMM_RPN_PARITY_NONE;
1463 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1464 }
1465 }
3a5e903c 1466
e8db8c99 1467 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1da177e4
LT		 1468 flow_ctrl = rpn->flow_ctrl;
1469 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1470 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1471 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1472 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1473 }
1474 }
3a5e903c 1475
e8db8c99 1476 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1da177e4
LT		 1477 xon_char = rpn->xon_char;
1478 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1479 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1480 xon_char = RFCOMM_RPN_XON_CHAR;
1481 rpn_mask ^= RFCOMM_RPN_PM_XON;
1482 }
1483 }
3a5e903c 1484
e8db8c99 1485 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1da177e4
LT		 1486 xoff_char = rpn->xoff_char;
1487 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1488 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1489 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1490 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1491 }
1492 }
1493
1494rpn_out:
3a5e903c
S		 1495 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1496 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1da177e4
LT		 1497
1498 return 0;
1499}
1500
1501static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1502{
1503 struct rfcomm_rls *rls = (void *) skb->data;
1504 u8 dlci = __get_dlci(rls->dlci);
1505
1506 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
3a5e903c 1507
1da177e4
LT		 1508 if (!cr)
1509 return 0;
1510
3a5e903c
S		 1511 /* We should probably do something with this information here. But
1512 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1513 * mandatory to recognise and respond to RLS */
1da177e4
LT		 1514
1515 rfcomm_send_rls(s, 0, dlci, rls->status);
1516
1517 return 0;
1518}
1519
1520static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1521{
1522 struct rfcomm_msc *msc = (void *) skb->data;
1523 struct rfcomm_dlc *d;
1524 u8 dlci = __get_dlci(msc->dlci);
1525
1526 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1527
1528 d = rfcomm_dlc_get(s, dlci);
3a5e903c 1529 if (!d)
1da177e4
LT		 1530 return 0;
1531
1532 if (cr) {
1533 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1534 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1535 else
1536 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
3a5e903c 1537
1da177e4 1538 rfcomm_dlc_lock(d);
8b6b3da7
MH		 1539
1540 d->remote_v24_sig = msc->v24_sig;
1541
1da177e4
LT		 1542 if (d->modem_status)
1543 d->modem_status(d, msc->v24_sig);
8b6b3da7 1544
1da177e4 1545 rfcomm_dlc_unlock(d);
8e87d142 1546
1da177e4
LT		 1547 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1548
1549 d->mscex |= RFCOMM_MSCEX_RX;
3a5e903c 1550 } else
1da177e4
LT		 1551 d->mscex |= RFCOMM_MSCEX_TX;
1552
1553 return 0;
1554}
1555
1556static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1557{
1558 struct rfcomm_mcc *mcc = (void *) skb->data;
1559 u8 type, cr, len;
1560
1561 cr = __test_cr(mcc->type);
1562 type = __get_mcc_type(mcc->type);
1563 len = __get_mcc_len(mcc->len);
1564
1565 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1566
1567 skb_pull(skb, 2);
1568
1569 switch (type) {
1570 case RFCOMM_PN:
1571 rfcomm_recv_pn(s, cr, skb);
1572 break;
1573
1574 case RFCOMM_RPN:
1575 rfcomm_recv_rpn(s, cr, len, skb);
1576 break;
1577
1578 case RFCOMM_RLS:
1579 rfcomm_recv_rls(s, cr, skb);
1580 break;
1581
1582 case RFCOMM_MSC:
1583 rfcomm_recv_msc(s, cr, skb);
1584 break;
1585
1586 case RFCOMM_FCOFF:
1587 if (cr) {
1588 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1589 rfcomm_send_fcoff(s, 0);
1590 }
1591 break;
1592
1593 case RFCOMM_FCON:
1594 if (cr) {
1595 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1596 rfcomm_send_fcon(s, 0);
1597 }
1598 break;
1599
1600 case RFCOMM_TEST:
1601 if (cr)
1602 rfcomm_send_test(s, 0, skb->data, skb->len);
1603 break;
1604
1605 case RFCOMM_NSC:
1606 break;
1607
1608 default:
1609 BT_ERR("Unknown control type 0x%02x", type);
1610 rfcomm_send_nsc(s, cr, type);
1611 break;
1612 }
1613 return 0;
1614}
1615
1616static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1617{
1618 struct rfcomm_dlc *d;
1619
1620 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1621
1622 d = rfcomm_dlc_get(s, dlci);
1623 if (!d) {
1624 rfcomm_send_dm(s, dlci);
1625 goto drop;
1626 }
1627
1628 if (pf && d->cfc) {
1629 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1630
1631 d->tx_credits += credits;
1632 if (d->tx_credits)
1633 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1634 }
1635
1636 if (skb->len && d->state == BT_CONNECTED) {
1637 rfcomm_dlc_lock(d);
1638 d->rx_credits--;
1639 d->data_ready(d, skb);
1640 rfcomm_dlc_unlock(d);
1641 return 0;
1642 }
1643
1644drop:
1645 kfree_skb(skb);
1646 return 0;
1647}
1648
8ff52f7d
DJ		 1649static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1650 struct sk_buff *skb)
1da177e4
LT		 1651{
1652 struct rfcomm_hdr *hdr = (void *) skb->data;
1653 u8 type, dlci, fcs;
1654
8ff52f7d
DJ		 1655 if (!s) {
1656 /* no session, so free socket data */
1657 kfree_skb(skb);
1658 return s;
1659 }
1660
1da177e4
LT		 1661 dlci = __get_dlci(hdr->addr);
1662 type = __get_type(hdr->ctrl);
1663
1664 /* Trim FCS */
1665 skb->len--; skb->tail--;
27a884dc 1666 fcs = *(u8 *)skb_tail_pointer(skb);
1da177e4
LT		 1667
1668 if (__check_fcs(skb->data, type, fcs)) {
1669 BT_ERR("bad checksum in packet");
1670 kfree_skb(skb);
8ff52f7d 1671 return s;
1da177e4
LT		 1672 }
1673
1674 if (__test_ea(hdr->len))
1675 skb_pull(skb, 3);
1676 else
1677 skb_pull(skb, 4);
1678
1679 switch (type) {
1680 case RFCOMM_SABM:
1681 if (__test_pf(hdr->ctrl))
1682 rfcomm_recv_sabm(s, dlci);
1683 break;
1684
1685 case RFCOMM_DISC:
1686 if (__test_pf(hdr->ctrl))
8ff52f7d 1687 s = rfcomm_recv_disc(s, dlci);
1da177e4
LT		 1688 break;
1689
1690 case RFCOMM_UA:
1691 if (__test_pf(hdr->ctrl))
8ff52f7d 1692 s = rfcomm_recv_ua(s, dlci);
1da177e4
LT		 1693 break;
1694
1695 case RFCOMM_DM:
8ff52f7d 1696 s = rfcomm_recv_dm(s, dlci);
1da177e4
LT		 1697 break;
1698
1699 case RFCOMM_UIH:
8ff52f7d
DJ		 1700 if (dlci) {
1701 rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1702 return s;
1703 }
1da177e4
LT		 1704 rfcomm_recv_mcc(s, skb);
1705 break;
1706
1707 default:
5017d8dd 1708 BT_ERR("Unknown packet type 0x%02x", type);
1da177e4
LT		 1709 break;
1710 }
1711 kfree_skb(skb);
8ff52f7d 1712 return s;
1da177e4
LT		 1713}
1714
1715/* ---- Connection and data processing ---- */
1716
1717static void rfcomm_process_connect(struct rfcomm_session *s)
1718{
1719 struct rfcomm_dlc *d;
1720 struct list_head *p, *n;
1721
1722 BT_DBG("session %p state %ld", s, s->state);
1723
1724 list_for_each_safe(p, n, &s->dlcs) {
1725 d = list_entry(p, struct rfcomm_dlc, list);
1726 if (d->state == BT_CONFIG) {
1727 d->mtu = s->mtu;
9f2c8a03 1728 if (rfcomm_check_security(d)) {
8c1b2355
MH		 1729 rfcomm_send_pn(s, 1, d);
1730 } else {
77db1980
MH		 1731 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1732 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
8c1b2355 1733 }
1da177e4
LT		 1734 }
1735 }
1736}
1737
1738/* Send data queued for the DLC.
1739 * Return number of frames left in the queue.
1740 */
6039aa73 1741static int rfcomm_process_tx(struct rfcomm_dlc *d)
1da177e4
LT		 1742{
1743 struct sk_buff *skb;
1744 int err;
1745
8e87d142 1746 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1da177e4
LT		 1747 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1748
1749 /* Send pending MSC */
1750 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
8e87d142 1751 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1da177e4
LT		 1752
1753 if (d->cfc) {
8e87d142 1754 /* CFC enabled.
1da177e4
LT		 1755 * Give them some credits */
1756 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
8e87d142 1757 d->rx_credits <= (d->cfc >> 2)) {
1da177e4
LT		 1758 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1759 d->rx_credits = d->cfc;
1760 }
1761 } else {
1762 /* CFC disabled.
1763 * Give ourselves some credits */
1764 d->tx_credits = 5;
1765 }
1766
1767 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1768 return skb_queue_len(&d->tx_queue);
1769
1770 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
5436538f 1771 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1da177e4
LT		 1772 if (err < 0) {
1773 skb_queue_head(&d->tx_queue, skb);
1774 break;
1775 }
1776 kfree_skb(skb);
1777 d->tx_credits--;
1778 }
1779
1780 if (d->cfc && !d->tx_credits) {
1781 /* We're out of TX credits.
1782 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1783 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1784 }
1785
1786 return skb_queue_len(&d->tx_queue);
1787}
1788
6039aa73 1789static void rfcomm_process_dlcs(struct rfcomm_session *s)
1da177e4
LT		 1790{
1791 struct rfcomm_dlc *d;
1792 struct list_head *p, *n;
1793
1794 BT_DBG("session %p state %ld", s, s->state);
1795
1796 list_for_each_safe(p, n, &s->dlcs) {
1797 d = list_entry(p, struct rfcomm_dlc, list);
1798
1799 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1800 __rfcomm_dlc_close(d, ETIMEDOUT);
1801 continue;
1802 }
1803
db54467a
SJ		 1804 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1805 __rfcomm_dlc_close(d, ECONNREFUSED);
1806 continue;
1807 }
1808
1da177e4
LT		 1809 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1810 rfcomm_dlc_clear_timer(d);
77db1980
MH		 1811 if (d->out) {
1812 rfcomm_send_pn(s, 1, d);
1813 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
bb23c0ab
MH		 1814 } else {
1815 if (d->defer_setup) {
1816 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1817 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
8bf47941
MH		 1818
1819 rfcomm_dlc_lock(d);
1820 d->state = BT_CONNECT2;
1821 d->state_change(d, 0);
1822 rfcomm_dlc_unlock(d);
bb23c0ab
MH		 1823 } else
1824 rfcomm_dlc_accept(d);
1825 }
1da177e4
LT		 1826 continue;
1827 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1828 rfcomm_dlc_clear_timer(d);
77db1980
MH		 1829 if (!d->out)
1830 rfcomm_send_dm(s, d->dlci);
1831 else
1832 d->state = BT_CLOSED;
1da177e4
LT		 1833 __rfcomm_dlc_close(d, ECONNREFUSED);
1834 continue;
1835 }
1836
6e1031a4
JG		 1837 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1838 continue;
1839
1da177e4
LT		 1840 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1841 continue;
1842
1843 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
77db1980 1844 d->mscex == RFCOMM_MSCEX_OK)
1da177e4
LT		 1845 rfcomm_process_tx(d);
1846 }
1847}
1848
8ff52f7d 1849static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1da177e4
LT		 1850{
1851 struct socket *sock = s->sock;
1852 struct sock *sk = sock->sk;
1853 struct sk_buff *skb;
1854
1855 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1856
1857 /* Get data directly from socket receive queue without copying it. */
1858 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1859 skb_orphan(skb);
07b41b34 1860 if (!skb_linearize(skb)) {
8ff52f7d 1861 s = rfcomm_recv_frame(s, skb);
07b41b34
VR		 1862 if (!s)
1863 break;
1864 } else {
44935720 1865 kfree_skb(skb);
07b41b34 1866 }
1da177e4
LT		 1867 }
1868
08c30aca
DJ		 1869 if (s && (sk->sk_state == BT_CLOSED))
1870 s = rfcomm_session_close(s, sk->sk_err);
8ff52f7d
DJ		 1871
1872 return s;
1da177e4
LT		 1873}
1874
6039aa73 1875static void rfcomm_accept_connection(struct rfcomm_session *s)
1da177e4
LT		 1876{
1877 struct socket *sock = s->sock, *nsock;
1878 int err;
1879
1880 /* Fast check for a new connection.
1881 * Avoids unnesesary socket allocations. */
1882 if (list_empty(&bt_sk(sock->sk)->accept_q))
1883 return;
1884
1885 BT_DBG("session %p", s);
1886
48db9ca4
MH		 1887 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1888 if (err < 0)
1da177e4
LT		 1889 return;
1890
1da177e4
LT		 1891 /* Set our callbacks */
1892 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1893 nsock->sk->sk_state_change = rfcomm_l2state_change;
1894
1895 s = rfcomm_session_add(nsock, BT_OPEN);
1896 if (s) {
98bcd08b
MH		 1897 /* We should adjust MTU on incoming sessions.
1898 * L2CAP MTU minus UIH header and FCS. */
0c1bc5c6
GP		 1899 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1900 l2cap_pi(nsock->sk)->chan->imtu) - 5;
98bcd08b 1901
534c92fd 1902 rfcomm_schedule();
1da177e4
LT		 1903 } else
1904 sock_release(nsock);
1905}
1906
8ff52f7d 1907static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1da177e4
LT		 1908{
1909 struct sock *sk = s->sock->sk;
1910
1911 BT_DBG("%p state %ld", s, s->state);
1912
285b4e90 1913 switch (sk->sk_state) {
1da177e4
LT		 1914 case BT_CONNECTED:
1915 s->state = BT_CONNECT;
1916
1917 /* We can adjust MTU on outgoing sessions.
1918 * L2CAP MTU minus UIH header and FCS. */
0c1bc5c6 1919 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1da177e4
LT		 1920
1921 rfcomm_send_sabm(s, 0);
1922 break;
1923
1924 case BT_CLOSED:
8ff52f7d 1925 s = rfcomm_session_close(s, sk->sk_err);
1da177e4
LT		 1926 break;
1927 }
8ff52f7d 1928 return s;
1da177e4
LT		 1929}
1930
6039aa73 1931static void rfcomm_process_sessions(void)
1da177e4
LT		 1932{
1933 struct list_head *p, *n;
1934
1935 rfcomm_lock();
1936
1937 list_for_each_safe(p, n, &session_list) {
1938 struct rfcomm_session *s;
1939 s = list_entry(p, struct rfcomm_session, list);
1940
9e726b17
LAD		 1941 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1942 s->state = BT_DISCONN;
1943 rfcomm_send_disc(s, 0);
1944 continue;
1945 }
1946
1da177e4
LT		 1947 if (s->state == BT_LISTEN) {
1948 rfcomm_accept_connection(s);
1949 continue;
1950 }
1951
1da177e4
LT		 1952 switch (s->state) {
1953 case BT_BOUND:
8ff52f7d 1954 s = rfcomm_check_connection(s);
1da177e4
LT		 1955 break;
1956
1957 default:
8ff52f7d 1958 s = rfcomm_process_rx(s);
1da177e4
LT		 1959 break;
1960 }
1961
8ff52f7d
DJ		 1962 if (s)
1963 rfcomm_process_dlcs(s);
1da177e4
LT		 1964 }
1965
1966 rfcomm_unlock();
1967}
1968
1da177e4
LT		 1969static int rfcomm_add_listener(bdaddr_t *ba)
1970{
1971 struct sockaddr_l2 addr;
1972 struct socket *sock;
1973 struct sock *sk;
1974 struct rfcomm_session *s;
1975 int err = 0;
1976
1977 /* Create socket */
1978 err = rfcomm_l2sock_create(&sock);
8e87d142 1979 if (err < 0) {
1da177e4
LT		 1980 BT_ERR("Create socket failed %d", err);
1981 return err;
1982 }
1983
1984 /* Bind socket */
1985 bacpy(&addr.l2_bdaddr, ba);
1986 addr.l2_family = AF_BLUETOOTH;
5bcb8094 1987 addr.l2_psm = __constant_cpu_to_le16(RFCOMM_PSM);
37e62f55 1988 addr.l2_cid = 0;
48db9ca4 1989 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1da177e4
LT		 1990 if (err < 0) {
1991 BT_ERR("Bind failed %d", err);
1992 goto failed;
1993 }
1994
1995 /* Set L2CAP options */
1996 sk = sock->sk;
1997 lock_sock(sk);
0c1bc5c6 1998 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
1da177e4
LT		 1999 release_sock(sk);
2000
2001 /* Start listening on the socket */
48db9ca4 2002 err = kernel_listen(sock, 10);
1da177e4
LT		 2003 if (err) {
2004 BT_ERR("Listen failed %d", err);
2005 goto failed;
2006 }
2007
2008 /* Add listening session */
2009 s = rfcomm_session_add(sock, BT_LISTEN);
0227c7b5
WY		 2010 if (!s) {
2011 err = -ENOMEM;
1da177e4 2012 goto failed;
0227c7b5 2013 }
1da177e4 2014
1da177e4
LT		 2015 return 0;
2016failed:
2017 sock_release(sock);
2018 return err;
2019}
2020
2021static void rfcomm_kill_listener(void)
2022{
2023 struct rfcomm_session *s;
2024 struct list_head *p, *n;
2025
2026 BT_DBG("");
2027
2028 list_for_each_safe(p, n, &session_list) {
2029 s = list_entry(p, struct rfcomm_session, list);
2030 rfcomm_session_del(s);
2031 }
2032}
2033
2034static int rfcomm_run(void *unused)
2035{
a524eccc 2036 BT_DBG("");
1da177e4 2037
1da177e4 2038 set_user_nice(current, -10);
1da177e4 2039
1da177e4
LT		 2040 rfcomm_add_listener(BDADDR_ANY);
2041
e5842cdb 2042 while (1) {
a524eccc 2043 set_current_state(TASK_INTERRUPTIBLE);
e5842cdb
PH		 2044
2045 if (kthread_should_stop())
2046 break;
a524eccc
MH		 2047
2048 /* Process stuff */
a524eccc 2049 rfcomm_process_sessions();
e5842cdb
PH		 2050
2051 schedule();
a524eccc 2052 }
e5842cdb 2053 __set_current_state(TASK_RUNNING);
1da177e4
LT		 2054
2055 rfcomm_kill_listener();
2056
1da177e4
LT		 2057 return 0;
2058}
2059
8c1b2355 2060static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
1da177e4
LT		 2061{
2062 struct rfcomm_session *s;
2063 struct rfcomm_dlc *d;
2064 struct list_head *p, *n;
2065
2066 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2067
2068 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2069 if (!s)
2070 return;
2071
1da177e4
LT		 2072 list_for_each_safe(p, n, &s->dlcs) {
2073 d = list_entry(p, struct rfcomm_dlc, list);
2074
8c84b830
MH		 2075 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2076 rfcomm_dlc_clear_timer(d);
2077 if (status || encrypt == 0x00) {
db54467a 2078 set_bit(RFCOMM_ENC_DROP, &d->flags);
8c84b830
MH		 2079 continue;
2080 }
2081 }
2082
2083 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2084 if (d->sec_level == BT_SECURITY_MEDIUM) {
2085 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2086 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2087 continue;
2088 } else if (d->sec_level == BT_SECURITY_HIGH) {
db54467a 2089 set_bit(RFCOMM_ENC_DROP, &d->flags);
8c84b830
MH		 2090 continue;
2091 }
9719f8af
MH		 2092 }
2093
1da177e4
LT		 2094 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2095 continue;
2096
b3b1b061 2097 if (!status && hci_conn_check_secure(conn, d->sec_level))
1da177e4
LT		 2098 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2099 else
2100 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2101 }
2102
534c92fd 2103 rfcomm_schedule();
1da177e4
LT		 2104}
2105
2106static struct hci_cb rfcomm_cb = {
2107 .name = "RFCOMM",
8c1b2355 2108 .security_cfm = rfcomm_security_cfm
1da177e4
LT		 2109};
2110
aef7d97c 2111static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
1da177e4
LT		 2112{
2113 struct rfcomm_session *s;
1da177e4
LT		 2114
2115 rfcomm_lock();
2116
8035ded4
LAD		 2117 list_for_each_entry(s, &session_list, list) {
2118 struct rfcomm_dlc *d;
2119 list_for_each_entry(d, &s->dlcs, list) {
be9d1227 2120 struct sock *sk = s->sock->sk;
1da177e4 2121
fcb73338
AE		 2122 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2123 &bt_sk(sk)->src, &bt_sk(sk)->dst,
2124 d->state, d->dlci, d->mtu,
2125 d->rx_credits, d->tx_credits);
1da177e4
LT		 2126 }
2127 }
1da177e4 2128
1da177e4 2129 rfcomm_unlock();
1da177e4 2130
aef7d97c
MH		 2131 return 0;
2132}
2133
2134static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2135{
2136 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
1da177e4
LT		 2137}
2138
aef7d97c
MH		 2139static const struct file_operations rfcomm_dlc_debugfs_fops = {
2140 .open = rfcomm_dlc_debugfs_open,
2141 .read = seq_read,
2142 .llseek = seq_lseek,
2143 .release = single_release,
2144};
2145
2146static struct dentry *rfcomm_dlc_debugfs;
1da177e4
LT		 2147
2148/* ---- Initialization ---- */
2149static int __init rfcomm_init(void)
2150{
52d18347 2151 int err;
af0d3b10 2152
1da177e4
LT		 2153 hci_register_cb(&rfcomm_cb);
2154
a524eccc
MH		 2155 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2156 if (IS_ERR(rfcomm_thread)) {
52d18347
MH		 2157 err = PTR_ERR(rfcomm_thread);
2158 goto unregister;
a524eccc 2159 }
1da177e4 2160
aef7d97c
MH		 2161 if (bt_debugfs) {
2162 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2163 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2164 if (!rfcomm_dlc_debugfs)
2165 BT_ERR("Failed to create RFCOMM debug file");
2166 }
1da177e4 2167
52d18347
MH		 2168 err = rfcomm_init_ttys();
2169 if (err < 0)
2170 goto stop;
1da177e4 2171
52d18347
MH		 2172 err = rfcomm_init_sockets();
2173 if (err < 0)
2174 goto cleanup;
1da177e4 2175
be9d1227
MH		 2176 BT_INFO("RFCOMM ver %s", VERSION);
2177
1da177e4 2178 return 0;
af0d3b10 2179
52d18347 2180cleanup:
af0d3b10 2181 rfcomm_cleanup_ttys();
52d18347
MH		 2182
2183stop:
af0d3b10 2184 kthread_stop(rfcomm_thread);
52d18347
MH		 2185
2186unregister:
af0d3b10
DY		 2187 hci_unregister_cb(&rfcomm_cb);
2188
52d18347 2189 return err;
1da177e4
LT		 2190}
2191
2192static void __exit rfcomm_exit(void)
2193{
aef7d97c 2194 debugfs_remove(rfcomm_dlc_debugfs);
be9d1227 2195
1da177e4
LT		 2196 hci_unregister_cb(&rfcomm_cb);
2197
a524eccc 2198 kthread_stop(rfcomm_thread);
1da177e4 2199
1da177e4 2200 rfcomm_cleanup_ttys();
1da177e4
LT		 2201
2202 rfcomm_cleanup_sockets();
1da177e4
LT		 2203}
2204
2205module_init(rfcomm_init);
2206module_exit(rfcomm_exit);
2207
7c2660b0
MH		 2208module_param(disable_cfc, bool, 0644);
2209MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2210
98bcd08b
MH		 2211module_param(channel_mtu, int, 0644);
2212MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2213
56f3a40a
MH		 2214module_param(l2cap_mtu, uint, 0644);
2215MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2216
eae38eed
MH		 2217module_param(l2cap_ertm, bool, 0644);
2218MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2219
63fbd24e 2220MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 2221MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2222MODULE_VERSION(VERSION);
2223MODULE_LICENSE("GPL");
2224MODULE_ALIAS("bt-proto-3");
kernel source for telekom puls (alcatel/mediatek)