projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Return RFCOMM session ptrs to avoid freed session
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / rfcomm / core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
8e87d142
YH		 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 21 SOFTWARE IS DISCLAIMED.
22*/
23
1da177e4
LT		 24/*
25 * Bluetooth RFCOMM core.
1da177e4
LT		 26 */
27
1da177e4 28#include <linux/module.h>
aef7d97c 29#include <linux/debugfs.h>
a524eccc 30#include <linux/kthread.h>
1da177e4
LT		 31#include <asm/unaligned.h>
32
33#include <net/bluetooth/bluetooth.h>
34#include <net/bluetooth/hci_core.h>
35#include <net/bluetooth/l2cap.h>
36#include <net/bluetooth/rfcomm.h>
37
5f9018af 38#define VERSION "1.11"
56f3a40a 39
eb939922
RR		 40static bool disable_cfc;
41static bool l2cap_ertm;
98bcd08b 42static int channel_mtu = -1;
56f3a40a
MH		 43static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44
1da177e4
LT		 45static struct task_struct *rfcomm_thread;
46
4a3e2f71
AV		 47static DEFINE_MUTEX(rfcomm_mutex);
48#define rfcomm_lock() mutex_lock(&rfcomm_mutex)
49#define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
1da177e4 50
1da177e4
LT		 51
52static LIST_HEAD(session_list);
1da177e4 53
5436538f 54static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
1da177e4
LT		 55static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64
65static void rfcomm_process_connect(struct rfcomm_session *s);
66
63ce0900
LAD		 67static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68 bdaddr_t *dst,
69 u8 sec_level,
70 int *err);
1da177e4 71static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
8ff52f7d 72static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
1da177e4
LT		 73
74/* ---- RFCOMM frame parsing macros ---- */
75#define __get_dlci(b) ((b & 0xfc) >> 2)
76#define __get_channel(b) ((b & 0xf8) >> 3)
77#define __get_dir(b) ((b & 0x04) >> 2)
78#define __get_type(b) ((b & 0xef))
79
80#define __test_ea(b) ((b & 0x01))
81#define __test_cr(b) ((b & 0x02))
82#define __test_pf(b) ((b & 0x10))
83
84#define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
85#define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
86#define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
87#define __srv_channel(dlci) (dlci >> 1)
88#define __dir(dlci) (dlci & 0x01)
89
90#define __len8(len) (((len) << 1) | 1)
91#define __len16(len) ((len) << 1)
92
93/* MCC macros */
94#define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
95#define __get_mcc_type(b) ((b & 0xfc) >> 2)
96#define __get_mcc_len(b) ((b & 0xfe) >> 1)
97
98/* RPN macros */
3a5e903c 99#define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
1da177e4
LT		 100#define __get_rpn_data_bits(line) ((line) & 0x3)
101#define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
3a5e903c 102#define __get_rpn_parity(line) (((line) >> 3) & 0x7)
1da177e4 103
6039aa73 104static void rfcomm_schedule(void)
1da177e4
LT		 105{
106 if (!rfcomm_thread)
107 return;
1da177e4
LT		 108 wake_up_process(rfcomm_thread);
109}
110
8ff52f7d 111static struct rfcomm_session *rfcomm_session_put(struct rfcomm_session *s)
1da177e4 112{
8ff52f7d
DJ		 113 if (s && atomic_dec_and_test(&s->refcnt))
114 s = rfcomm_session_del(s);
115
116 return s;
1da177e4
LT		 117}
118
119/* ---- RFCOMM FCS computation ---- */
120
408c1ce2 121/* reversed, 8-bit, poly=0x07 */
8e87d142 122static unsigned char rfcomm_crc_table[256] = {
408c1ce2
MH		 123 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
124 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
125 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
126 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
127
128 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
129 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
130 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
131 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
132
133 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
134 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
135 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
136 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
137
138 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
139 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
140 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
141 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
142
143 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
144 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
145 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
146 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
147
148 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
149 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
150 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
151 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
152
153 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
154 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
155 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
156 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
157
158 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
159 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
160 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
161 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
162};
163
1da177e4
LT		 164/* CRC on 2 bytes */
165#define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
166
8e87d142 167/* FCS on 2 bytes */
1da177e4
LT		 168static inline u8 __fcs(u8 *data)
169{
a02cec21 170 return 0xff - __crc(data);
1da177e4
LT		 171}
172
8e87d142 173/* FCS on 3 bytes */
1da177e4
LT		 174static inline u8 __fcs2(u8 *data)
175{
a02cec21 176 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
1da177e4
LT		 177}
178
179/* Check FCS */
180static inline int __check_fcs(u8 *data, int type, u8 fcs)
181{
182 u8 f = __crc(data);
183
184 if (type != RFCOMM_UIH)
185 f = rfcomm_crc_table[f ^ data[2]];
186
187 return rfcomm_crc_table[f ^ fcs] != 0xcf;
188}
189
190/* ---- L2CAP callbacks ---- */
191static void rfcomm_l2state_change(struct sock *sk)
192{
193 BT_DBG("%p state %d", sk, sk->sk_state);
534c92fd 194 rfcomm_schedule();
1da177e4
LT		 195}
196
197static void rfcomm_l2data_ready(struct sock *sk, int bytes)
198{
199 BT_DBG("%p bytes %d", sk, bytes);
534c92fd 200 rfcomm_schedule();
1da177e4
LT		 201}
202
203static int rfcomm_l2sock_create(struct socket **sock)
204{
205 int err;
206
207 BT_DBG("");
208
209 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
210 if (!err) {
211 struct sock *sk = (*sock)->sk;
212 sk->sk_data_ready = rfcomm_l2data_ready;
213 sk->sk_state_change = rfcomm_l2state_change;
214 }
215 return err;
216}
217
6039aa73 218static int rfcomm_check_security(struct rfcomm_dlc *d)
77db1980
MH		 219{
220 struct sock *sk = d->session->sock->sk;
8c1d787b
GP		 221 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
222
0684e5f9
MH		 223 __u8 auth_type;
224
225 switch (d->sec_level) {
226 case BT_SECURITY_HIGH:
227 auth_type = HCI_AT_GENERAL_BONDING_MITM;
228 break;
229 case BT_SECURITY_MEDIUM:
230 auth_type = HCI_AT_GENERAL_BONDING;
231 break;
232 default:
233 auth_type = HCI_AT_NO_BONDING;
234 break;
235 }
77db1980 236
8c1d787b 237 return hci_conn_security(conn->hcon, d->sec_level, auth_type);
77db1980
MH		 238}
239
9e726b17
LAD		 240static void rfcomm_session_timeout(unsigned long arg)
241{
242 struct rfcomm_session *s = (void *) arg;
243
244 BT_DBG("session %p state %ld", s, s->state);
245
246 set_bit(RFCOMM_TIMED_OUT, &s->flags);
534c92fd 247 rfcomm_schedule();
9e726b17
LAD		 248}
249
250static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
251{
252 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
253
254 if (!mod_timer(&s->timer, jiffies + timeout))
255 rfcomm_session_hold(s);
256}
257
258static void rfcomm_session_clear_timer(struct rfcomm_session *s)
259{
260 BT_DBG("session %p state %ld", s, s->state);
261
fea7b02f 262 if (del_timer_sync(&s->timer))
9e726b17
LAD		 263 rfcomm_session_put(s);
264}
265
1da177e4
LT		 266/* ---- RFCOMM DLCs ---- */
267static void rfcomm_dlc_timeout(unsigned long arg)
268{
269 struct rfcomm_dlc *d = (void *) arg;
270
271 BT_DBG("dlc %p state %ld", d, d->state);
272
273 set_bit(RFCOMM_TIMED_OUT, &d->flags);
274 rfcomm_dlc_put(d);
534c92fd 275 rfcomm_schedule();
1da177e4
LT		 276}
277
278static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
279{
280 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
281
282 if (!mod_timer(&d->timer, jiffies + timeout))
283 rfcomm_dlc_hold(d);
284}
285
286static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
287{
288 BT_DBG("dlc %p state %ld", d, d->state);
289
25cc4ae9 290 if (del_timer(&d->timer))
1da177e4
LT		 291 rfcomm_dlc_put(d);
292}
293
294static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
295{
296 BT_DBG("%p", d);
297
298 d->state = BT_OPEN;
299 d->flags = 0;
300 d->mscex = 0;
183f732c 301 d->sec_level = BT_SECURITY_LOW;
1da177e4
LT		 302 d->mtu = RFCOMM_DEFAULT_MTU;
303 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
304
305 d->cfc = RFCOMM_CFC_DISABLED;
306 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
307}
308
dd0fc66f 309struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
1da177e4 310{
25ea6db0
MH		 311 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
312
1da177e4
LT		 313 if (!d)
314 return NULL;
1da177e4 315
b24b8a24 316 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
1da177e4
LT		 317
318 skb_queue_head_init(&d->tx_queue);
319 spin_lock_init(&d->lock);
320 atomic_set(&d->refcnt, 1);
321
322 rfcomm_dlc_clear_state(d);
8e87d142 323
1da177e4 324 BT_DBG("%p", d);
25ea6db0 325
1da177e4
LT		 326 return d;
327}
328
329void rfcomm_dlc_free(struct rfcomm_dlc *d)
330{
331 BT_DBG("%p", d);
332
333 skb_queue_purge(&d->tx_queue);
334 kfree(d);
335}
336
337static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
338{
339 BT_DBG("dlc %p session %p", d, s);
340
341 rfcomm_session_hold(s);
342
9e726b17 343 rfcomm_session_clear_timer(s);
1da177e4
LT		 344 rfcomm_dlc_hold(d);
345 list_add(&d->list, &s->dlcs);
346 d->session = s;
347}
348
349static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
350{
351 struct rfcomm_session *s = d->session;
352
353 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
354
355 list_del(&d->list);
356 d->session = NULL;
357 rfcomm_dlc_put(d);
358
9e726b17
LAD		 359 if (list_empty(&s->dlcs))
360 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
361
1da177e4
LT		 362 rfcomm_session_put(s);
363}
364
365static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
366{
367 struct rfcomm_dlc *d;
1da177e4 368
8035ded4 369 list_for_each_entry(d, &s->dlcs, list)
1da177e4
LT		 370 if (d->dlci == dlci)
371 return d;
8035ded4 372
1da177e4
LT		 373 return NULL;
374}
375
376static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
377{
378 struct rfcomm_session *s;
379 int err = 0;
380 u8 dlci;
381
6ed93dc6
AE		 382 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
383 d, d->state, src, dst, channel);
1da177e4
LT		 384
385 if (channel < 1 || channel > 30)
386 return -EINVAL;
387
388 if (d->state != BT_OPEN && d->state != BT_CLOSED)
389 return 0;
390
391 s = rfcomm_session_get(src, dst);
392 if (!s) {
63ce0900 393 s = rfcomm_session_create(src, dst, d->sec_level, &err);
1da177e4
LT		 394 if (!s)
395 return err;
396 }
397
398 dlci = __dlci(!s->initiator, channel);
399
400 /* Check if DLCI already exists */
401 if (rfcomm_dlc_get(s, dlci))
402 return -EBUSY;
403
404 rfcomm_dlc_clear_state(d);
405
406 d->dlci = dlci;
407 d->addr = __addr(s->initiator, dlci);
408 d->priority = 7;
409
77db1980 410 d->state = BT_CONFIG;
1da177e4
LT		 411 rfcomm_dlc_link(s, d);
412
77db1980
MH		 413 d->out = 1;
414
1da177e4
LT		 415 d->mtu = s->mtu;
416 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
417
77db1980 418 if (s->state == BT_CONNECTED) {
9f2c8a03 419 if (rfcomm_check_security(d))
77db1980 420 rfcomm_send_pn(s, 1, d);
8c1b2355
MH		 421 else
422 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
77db1980
MH		 423 }
424
1da177e4 425 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
77db1980 426
1da177e4
LT		 427 return 0;
428}
429
430int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
431{
432 int r;
433
434 rfcomm_lock();
435
436 r = __rfcomm_dlc_open(d, src, dst, channel);
437
438 rfcomm_unlock();
439 return r;
440}
441
442static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
443{
444 struct rfcomm_session *s = d->session;
445 if (!s)
446 return 0;
447
448 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
449 d, d->state, d->dlci, err, s);
450
451 switch (d->state) {
1da177e4 452 case BT_CONNECT:
bb23c0ab
MH		 453 case BT_CONFIG:
454 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
455 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
534c92fd 456 rfcomm_schedule();
bb23c0ab
MH		 457 break;
458 }
459 /* Fall through */
460
461 case BT_CONNECTED:
1da177e4
LT		 462 d->state = BT_DISCONN;
463 if (skb_queue_empty(&d->tx_queue)) {
464 rfcomm_send_disc(s, d->dlci);
465 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
466 } else {
467 rfcomm_queue_disc(d);
468 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
469 }
470 break;
471
bb23c0ab 472 case BT_OPEN:
8bf47941 473 case BT_CONNECT2:
bb23c0ab
MH		 474 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
475 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
534c92fd 476 rfcomm_schedule();
bb23c0ab
MH		 477 break;
478 }
479 /* Fall through */
480
1da177e4
LT		 481 default:
482 rfcomm_dlc_clear_timer(d);
483
484 rfcomm_dlc_lock(d);
485 d->state = BT_CLOSED;
1905f6c7 486 d->state_change(d, err);
4c8411f8 487 rfcomm_dlc_unlock(d);
1da177e4
LT		 488
489 skb_queue_purge(&d->tx_queue);
1da177e4
LT		 490 rfcomm_dlc_unlink(d);
491 }
492
493 return 0;
494}
495
496int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
497{
c06f7d53
DJ		 498 int r = 0;
499 struct rfcomm_dlc *d_list;
500 struct rfcomm_session *s, *s_list;
501
502 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
1da177e4
LT		 503
504 rfcomm_lock();
505
c06f7d53
DJ		 506 s = d->session;
507 if (!s)
508 goto no_session;
509
510 /* after waiting on the mutex check the session still exists
511 * then check the dlc still exists
512 */
513 list_for_each_entry(s_list, &session_list, list) {
514 if (s_list == s) {
515 list_for_each_entry(d_list, &s->dlcs, list) {
516 if (d_list == d) {
517 r = __rfcomm_dlc_close(d, err);
518 break;
519 }
520 }
521 break;
522 }
523 }
1da177e4 524
c06f7d53 525no_session:
1da177e4
LT		 526 rfcomm_unlock();
527 return r;
528}
529
530int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
531{
532 int len = skb->len;
533
534 if (d->state != BT_CONNECTED)
535 return -ENOTCONN;
536
537 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
538
539 if (len > d->mtu)
540 return -EINVAL;
541
542 rfcomm_make_uih(skb, d->addr);
543 skb_queue_tail(&d->tx_queue, skb);
544
545 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
534c92fd 546 rfcomm_schedule();
1da177e4
LT		 547 return len;
548}
549
b5606c2d 550void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
1da177e4
LT		 551{
552 BT_DBG("dlc %p state %ld", d, d->state);
553
554 if (!d->cfc) {
555 d->v24_sig |= RFCOMM_V24_FC;
556 set_bit(RFCOMM_MSC_PENDING, &d->flags);
557 }
534c92fd 558 rfcomm_schedule();
1da177e4
LT		 559}
560
b5606c2d 561void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
1da177e4
LT		 562{
563 BT_DBG("dlc %p state %ld", d, d->state);
564
565 if (!d->cfc) {
566 d->v24_sig &= ~RFCOMM_V24_FC;
567 set_bit(RFCOMM_MSC_PENDING, &d->flags);
568 }
534c92fd 569 rfcomm_schedule();
1da177e4
LT		 570}
571
8e87d142 572/*
1da177e4
LT		 573 Set/get modem status functions use _local_ status i.e. what we report
574 to the other side.
575 Remote status is provided by dlc->modem_status() callback.
576 */
577int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
578{
8e87d142 579 BT_DBG("dlc %p state %ld v24_sig 0x%x",
1da177e4
LT		 580 d, d->state, v24_sig);
581
582 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
583 v24_sig |= RFCOMM_V24_FC;
584 else
585 v24_sig &= ~RFCOMM_V24_FC;
8e87d142 586
1da177e4
LT		 587 d->v24_sig = v24_sig;
588
589 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
534c92fd 590 rfcomm_schedule();
1da177e4
LT		 591
592 return 0;
593}
594
595int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
596{
8e87d142 597 BT_DBG("dlc %p state %ld v24_sig 0x%x",
1da177e4
LT		 598 d, d->state, d->v24_sig);
599
600 *v24_sig = d->v24_sig;
601 return 0;
602}
603
604/* ---- RFCOMM sessions ---- */
605static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
606{
25ea6db0
MH		 607 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
608
1da177e4
LT		 609 if (!s)
610 return NULL;
1da177e4
LT		 611
612 BT_DBG("session %p sock %p", s, sock);
613
9e726b17
LAD		 614 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
615
1da177e4
LT		 616 INIT_LIST_HEAD(&s->dlcs);
617 s->state = state;
618 s->sock = sock;
619
620 s->mtu = RFCOMM_DEFAULT_MTU;
7c2660b0 621 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
1da177e4
LT		 622
623 /* Do not increment module usage count for listening sessions.
624 * Otherwise we won't be able to unload the module. */
625 if (state != BT_LISTEN)
626 if (!try_module_get(THIS_MODULE)) {
627 kfree(s);
628 return NULL;
629 }
630
631 list_add(&s->list, &session_list);
632
633 return s;
634}
635
8ff52f7d 636static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
1da177e4
LT		 637{
638 int state = s->state;
639
640 BT_DBG("session %p state %ld", s, s->state);
641
642 list_del(&s->list);
643
644 if (state == BT_CONNECTED)
645 rfcomm_send_disc(s, 0);
646
9e726b17 647 rfcomm_session_clear_timer(s);
1da177e4
LT		 648 sock_release(s->sock);
649 kfree(s);
650
651 if (state != BT_LISTEN)
652 module_put(THIS_MODULE);
8ff52f7d
DJ		 653
654 return NULL;
1da177e4
LT		 655}
656
657static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
658{
659 struct rfcomm_session *s;
660 struct list_head *p, *n;
661 struct bt_sock *sk;
662 list_for_each_safe(p, n, &session_list) {
663 s = list_entry(p, struct rfcomm_session, list);
8e87d142 664 sk = bt_sk(s->sock->sk);
1da177e4
LT		 665
666 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
667 !bacmp(&sk->dst, dst))
668 return s;
669 }
670 return NULL;
671}
672
8ff52f7d
DJ		 673static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
674 int err)
1da177e4
LT		 675{
676 struct rfcomm_dlc *d;
677 struct list_head *p, *n;
678
679 BT_DBG("session %p state %ld err %d", s, s->state, err);
680
681 rfcomm_session_hold(s);
682
683 s->state = BT_CLOSED;
684
685 /* Close all dlcs */
686 list_for_each_safe(p, n, &s->dlcs) {
687 d = list_entry(p, struct rfcomm_dlc, list);
688 d->state = BT_CLOSED;
689 __rfcomm_dlc_close(d, err);
690 }
691
9e726b17 692 rfcomm_session_clear_timer(s);
8ff52f7d 693 return rfcomm_session_put(s);
1da177e4
LT		 694}
695
63ce0900
LAD		 696static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
697 bdaddr_t *dst,
698 u8 sec_level,
699 int *err)
1da177e4
LT		 700{
701 struct rfcomm_session *s = NULL;
702 struct sockaddr_l2 addr;
703 struct socket *sock;
704 struct sock *sk;
705
6ed93dc6 706 BT_DBG("%pMR -> %pMR", src, dst);
1da177e4
LT		 707
708 *err = rfcomm_l2sock_create(&sock);
709 if (*err < 0)
710 return NULL;
711
712 bacpy(&addr.l2_bdaddr, src);
713 addr.l2_family = AF_BLUETOOTH;
714 addr.l2_psm = 0;
37e62f55 715 addr.l2_cid = 0;
48db9ca4 716 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1da177e4
LT		 717 if (*err < 0)
718 goto failed;
719
720 /* Set L2CAP options */
721 sk = sock->sk;
722 lock_sock(sk);
0c1bc5c6 723 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
47d1ec61 724 l2cap_pi(sk)->chan->sec_level = sec_level;
eae38eed 725 if (l2cap_ertm)
0c1bc5c6 726 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
1da177e4
LT		 727 release_sock(sk);
728
729 s = rfcomm_session_add(sock, BT_BOUND);
730 if (!s) {
731 *err = -ENOMEM;
732 goto failed;
733 }
734
1da177e4
LT		 735 s->initiator = 1;
736
737 bacpy(&addr.l2_bdaddr, dst);
738 addr.l2_family = AF_BLUETOOTH;
5bcb8094 739 addr.l2_psm = __constant_cpu_to_le16(RFCOMM_PSM);
37e62f55 740 addr.l2_cid = 0;
48db9ca4 741 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
b4c612a4 742 if (*err == 0 || *err == -EINPROGRESS)
1da177e4
LT		 743 return s;
744
8ff52f7d 745 return rfcomm_session_del(s);
1da177e4
LT		 746
747failed:
748 sock_release(sock);
749 return NULL;
750}
751
752void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
753{
754 struct sock *sk = s->sock->sk;
755 if (src)
756 bacpy(src, &bt_sk(sk)->src);
757 if (dst)
758 bacpy(dst, &bt_sk(sk)->dst);
759}
760
761/* ---- RFCOMM frame sending ---- */
5436538f 762static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
1da177e4 763{
1da177e4
LT		 764 struct kvec iv = { data, len };
765 struct msghdr msg;
766
5436538f 767 BT_DBG("session %p len %d", s, len);
1da177e4
LT		 768
769 memset(&msg, 0, sizeof(msg));
770
5436538f 771 return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
1da177e4
LT		 772}
773
262038fc
LAD		 774static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
775{
776 BT_DBG("%p cmd %u", s, cmd->ctrl);
777
5436538f 778 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
262038fc
LAD		 779}
780
1da177e4
LT		 781static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
782{
783 struct rfcomm_cmd cmd;
784
785 BT_DBG("%p dlci %d", s, dlci);
786
787 cmd.addr = __addr(s->initiator, dlci);
788 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
789 cmd.len = __len8(0);
790 cmd.fcs = __fcs2((u8 *) &cmd);
791
262038fc 792 return rfcomm_send_cmd(s, &cmd);
1da177e4
LT		 793}
794
795static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
796{
797 struct rfcomm_cmd cmd;
798
799 BT_DBG("%p dlci %d", s, dlci);
800
801 cmd.addr = __addr(!s->initiator, dlci);
802 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
803 cmd.len = __len8(0);
804 cmd.fcs = __fcs2((u8 *) &cmd);
805
262038fc 806 return rfcomm_send_cmd(s, &cmd);
1da177e4
LT		 807}
808
809static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
810{
811 struct rfcomm_cmd cmd;
812
813 BT_DBG("%p dlci %d", s, dlci);
814
815 cmd.addr = __addr(s->initiator, dlci);
816 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
817 cmd.len = __len8(0);
818 cmd.fcs = __fcs2((u8 *) &cmd);
819
262038fc 820 return rfcomm_send_cmd(s, &cmd);
1da177e4
LT		 821}
822
823static int rfcomm_queue_disc(struct rfcomm_dlc *d)
824{
825 struct rfcomm_cmd *cmd;
826 struct sk_buff *skb;
827
828 BT_DBG("dlc %p dlci %d", d, d->dlci);
829
830 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
831 if (!skb)
832 return -ENOMEM;
833
834 cmd = (void *) __skb_put(skb, sizeof(*cmd));
835 cmd->addr = d->addr;
836 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
837 cmd->len = __len8(0);
838 cmd->fcs = __fcs2((u8 *) cmd);
839
840 skb_queue_tail(&d->tx_queue, skb);
534c92fd 841 rfcomm_schedule();
1da177e4
LT		 842 return 0;
843}
844
845static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
846{
847 struct rfcomm_cmd cmd;
848
849 BT_DBG("%p dlci %d", s, dlci);
850
851 cmd.addr = __addr(!s->initiator, dlci);
852 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
853 cmd.len = __len8(0);
854 cmd.fcs = __fcs2((u8 *) &cmd);
855
262038fc 856 return rfcomm_send_cmd(s, &cmd);
1da177e4
LT		 857}
858
859static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
860{
861 struct rfcomm_hdr *hdr;
862 struct rfcomm_mcc *mcc;
863 u8 buf[16], *ptr = buf;
864
865 BT_DBG("%p cr %d type %d", s, cr, type);
866
867 hdr = (void *) ptr; ptr += sizeof(*hdr);
868 hdr->addr = __addr(s->initiator, 0);
869 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
870 hdr->len = __len8(sizeof(*mcc) + 1);
871
872 mcc = (void *) ptr; ptr += sizeof(*mcc);
873 mcc->type = __mcc_type(cr, RFCOMM_NSC);
874 mcc->len = __len8(1);
875
876 /* Type that we didn't like */
877 *ptr = __mcc_type(cr, type); ptr++;
878
879 *ptr = __fcs(buf); ptr++;
880
5436538f 881 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 882}
883
884static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
885{
886 struct rfcomm_hdr *hdr;
887 struct rfcomm_mcc *mcc;
888 struct rfcomm_pn *pn;
889 u8 buf[16], *ptr = buf;
890
891 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
892
893 hdr = (void *) ptr; ptr += sizeof(*hdr);
894 hdr->addr = __addr(s->initiator, 0);
895 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
896 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
897
898 mcc = (void *) ptr; ptr += sizeof(*mcc);
899 mcc->type = __mcc_type(cr, RFCOMM_PN);
900 mcc->len = __len8(sizeof(*pn));
901
902 pn = (void *) ptr; ptr += sizeof(*pn);
903 pn->dlci = d->dlci;
904 pn->priority = d->priority;
905 pn->ack_timer = 0;
906 pn->max_retrans = 0;
907
908 if (s->cfc) {
909 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
910 pn->credits = RFCOMM_DEFAULT_CREDITS;
911 } else {
912 pn->flow_ctrl = 0;
913 pn->credits = 0;
914 }
915
98bcd08b 916 if (cr && channel_mtu >= 0)
b4324b5d 917 pn->mtu = cpu_to_le16(channel_mtu);
98bcd08b 918 else
b4324b5d 919 pn->mtu = cpu_to_le16(d->mtu);
1da177e4
LT		 920
921 *ptr = __fcs(buf); ptr++;
922
5436538f 923 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 924}
925
3a5e903c
S		 926int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
927 u8 bit_rate, u8 data_bits, u8 stop_bits,
8e87d142 928 u8 parity, u8 flow_ctrl_settings,
3a5e903c 929 u8 xon_char, u8 xoff_char, u16 param_mask)
1da177e4
LT		 930{
931 struct rfcomm_hdr *hdr;
932 struct rfcomm_mcc *mcc;
933 struct rfcomm_rpn *rpn;
934 u8 buf[16], *ptr = buf;
935
936 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
8e87d142
YH		 937 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
938 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
3a5e903c 939 flow_ctrl_settings, xon_char, xoff_char, param_mask);
1da177e4
LT		 940
941 hdr = (void *) ptr; ptr += sizeof(*hdr);
942 hdr->addr = __addr(s->initiator, 0);
943 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
944 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
945
946 mcc = (void *) ptr; ptr += sizeof(*mcc);
947 mcc->type = __mcc_type(cr, RFCOMM_RPN);
948 mcc->len = __len8(sizeof(*rpn));
949
950 rpn = (void *) ptr; ptr += sizeof(*rpn);
951 rpn->dlci = __addr(1, dlci);
952 rpn->bit_rate = bit_rate;
953 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
954 rpn->flow_ctrl = flow_ctrl_settings;
955 rpn->xon_char = xon_char;
956 rpn->xoff_char = xoff_char;
e8db8c99 957 rpn->param_mask = cpu_to_le16(param_mask);
1da177e4
LT		 958
959 *ptr = __fcs(buf); ptr++;
960
5436538f 961 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 962}
963
964static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
965{
966 struct rfcomm_hdr *hdr;
967 struct rfcomm_mcc *mcc;
968 struct rfcomm_rls *rls;
969 u8 buf[16], *ptr = buf;
970
971 BT_DBG("%p cr %d status 0x%x", s, cr, status);
972
973 hdr = (void *) ptr; ptr += sizeof(*hdr);
974 hdr->addr = __addr(s->initiator, 0);
975 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
976 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
977
978 mcc = (void *) ptr; ptr += sizeof(*mcc);
979 mcc->type = __mcc_type(cr, RFCOMM_RLS);
980 mcc->len = __len8(sizeof(*rls));
981
982 rls = (void *) ptr; ptr += sizeof(*rls);
983 rls->dlci = __addr(1, dlci);
984 rls->status = status;
985
986 *ptr = __fcs(buf); ptr++;
987
5436538f 988 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 989}
990
991static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
992{
993 struct rfcomm_hdr *hdr;
994 struct rfcomm_mcc *mcc;
995 struct rfcomm_msc *msc;
996 u8 buf[16], *ptr = buf;
997
998 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
999
1000 hdr = (void *) ptr; ptr += sizeof(*hdr);
1001 hdr->addr = __addr(s->initiator, 0);
1002 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1003 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
1004
1005 mcc = (void *) ptr; ptr += sizeof(*mcc);
1006 mcc->type = __mcc_type(cr, RFCOMM_MSC);
1007 mcc->len = __len8(sizeof(*msc));
1008
1009 msc = (void *) ptr; ptr += sizeof(*msc);
1010 msc->dlci = __addr(1, dlci);
1011 msc->v24_sig = v24_sig | 0x01;
1012
1013 *ptr = __fcs(buf); ptr++;
1014
5436538f 1015 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 1016}
1017
1018static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1019{
1020 struct rfcomm_hdr *hdr;
1021 struct rfcomm_mcc *mcc;
1022 u8 buf[16], *ptr = buf;
1023
1024 BT_DBG("%p cr %d", s, cr);
1025
1026 hdr = (void *) ptr; ptr += sizeof(*hdr);
1027 hdr->addr = __addr(s->initiator, 0);
1028 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1029 hdr->len = __len8(sizeof(*mcc));
1030
1031 mcc = (void *) ptr; ptr += sizeof(*mcc);
1032 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1033 mcc->len = __len8(0);
1034
1035 *ptr = __fcs(buf); ptr++;
1036
5436538f 1037 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 1038}
1039
1040static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1041{
1042 struct rfcomm_hdr *hdr;
1043 struct rfcomm_mcc *mcc;
1044 u8 buf[16], *ptr = buf;
1045
1046 BT_DBG("%p cr %d", s, cr);
1047
1048 hdr = (void *) ptr; ptr += sizeof(*hdr);
1049 hdr->addr = __addr(s->initiator, 0);
1050 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1051 hdr->len = __len8(sizeof(*mcc));
1052
1053 mcc = (void *) ptr; ptr += sizeof(*mcc);
1054 mcc->type = __mcc_type(cr, RFCOMM_FCON);
1055 mcc->len = __len8(0);
1056
1057 *ptr = __fcs(buf); ptr++;
1058
5436538f 1059 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 1060}
1061
1062static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1063{
1064 struct socket *sock = s->sock;
1065 struct kvec iv[3];
1066 struct msghdr msg;
1067 unsigned char hdr[5], crc[1];
1068
1069 if (len > 125)
1070 return -EINVAL;
1071
1072 BT_DBG("%p cr %d", s, cr);
1073
1074 hdr[0] = __addr(s->initiator, 0);
1075 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1076 hdr[2] = 0x01 | ((len + 2) << 1);
1077 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1078 hdr[4] = 0x01 | (len << 1);
1079
1080 crc[0] = __fcs(hdr);
1081
1082 iv[0].iov_base = hdr;
1083 iv[0].iov_len = 5;
1084 iv[1].iov_base = pattern;
1085 iv[1].iov_len = len;
1086 iv[2].iov_base = crc;
1087 iv[2].iov_len = 1;
1088
1089 memset(&msg, 0, sizeof(msg));
1090
1091 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1092}
1093
1094static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1095{
1096 struct rfcomm_hdr *hdr;
1097 u8 buf[16], *ptr = buf;
1098
1099 BT_DBG("%p addr %d credits %d", s, addr, credits);
1100
1101 hdr = (void *) ptr; ptr += sizeof(*hdr);
1102 hdr->addr = addr;
1103 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1104 hdr->len = __len8(0);
1105
1106 *ptr = credits; ptr++;
1107
1108 *ptr = __fcs(buf); ptr++;
1109
5436538f 1110 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 1111}
1112
1113static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1114{
1115 struct rfcomm_hdr *hdr;
1116 int len = skb->len;
1117 u8 *crc;
1118
1119 if (len > 127) {
1120 hdr = (void *) skb_push(skb, 4);
b4324b5d 1121 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1da177e4
LT		 1122 } else {
1123 hdr = (void *) skb_push(skb, 3);
1124 hdr->len = __len8(len);
1125 }
1126 hdr->addr = addr;
1127 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1128
1129 crc = skb_put(skb, 1);
1130 *crc = __fcs((void *) hdr);
1131}
1132
1133/* ---- RFCOMM frame reception ---- */
8ff52f7d 1134static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1da177e4
LT		 1135{
1136 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1137
1138 if (dlci) {
1139 /* Data channel */
1140 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1141 if (!d) {
1142 rfcomm_send_dm(s, dlci);
8ff52f7d 1143 return s;
1da177e4
LT		 1144 }
1145
1146 switch (d->state) {
1147 case BT_CONNECT:
1148 rfcomm_dlc_clear_timer(d);
1149
1150 rfcomm_dlc_lock(d);
1151 d->state = BT_CONNECTED;
1152 d->state_change(d, 0);
1153 rfcomm_dlc_unlock(d);
1154
1155 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1156 break;
1157
1158 case BT_DISCONN:
1159 d->state = BT_CLOSED;
1160 __rfcomm_dlc_close(d, 0);
9cf5b0ea
MH		 1161
1162 if (list_empty(&s->dlcs)) {
1163 s->state = BT_DISCONN;
1164 rfcomm_send_disc(s, 0);
79e65478 1165 rfcomm_session_clear_timer(s);
9cf5b0ea
MH		 1166 }
1167
1da177e4
LT		 1168 break;
1169 }
1170 } else {
1171 /* Control channel */
1172 switch (s->state) {
1173 case BT_CONNECT:
1174 s->state = BT_CONNECTED;
1175 rfcomm_process_connect(s);
1176 break;
9cf5b0ea
MH		 1177
1178 case BT_DISCONN:
8ff52f7d 1179 s = rfcomm_session_close(s, ECONNRESET);
9cf5b0ea 1180 break;
1da177e4
LT		 1181 }
1182 }
8ff52f7d 1183 return s;
1da177e4
LT		 1184}
1185
8ff52f7d 1186static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1da177e4
LT		 1187{
1188 int err = 0;
1189
1190 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1191
1192 if (dlci) {
1193 /* Data DLC */
1194 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1195 if (d) {
1196 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1197 err = ECONNREFUSED;
1198 else
1199 err = ECONNRESET;
1200
1201 d->state = BT_CLOSED;
1202 __rfcomm_dlc_close(d, err);
1203 }
1204 } else {
1205 if (s->state == BT_CONNECT)
1206 err = ECONNREFUSED;
1207 else
1208 err = ECONNRESET;
1209
1210 s->state = BT_CLOSED;
8ff52f7d 1211 s = rfcomm_session_close(s, err);
1da177e4 1212 }
8ff52f7d 1213 return s;
1da177e4
LT		 1214}
1215
8ff52f7d
DJ		 1216static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1217 u8 dlci)
1da177e4
LT		 1218{
1219 int err = 0;
1220
1221 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1222
1223 if (dlci) {
1224 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1225 if (d) {
1226 rfcomm_send_ua(s, dlci);
1227
1228 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1229 err = ECONNREFUSED;
1230 else
1231 err = ECONNRESET;
1232
1233 d->state = BT_CLOSED;
1234 __rfcomm_dlc_close(d, err);
8e87d142 1235 } else
1da177e4 1236 rfcomm_send_dm(s, dlci);
8e87d142 1237
1da177e4
LT		 1238 } else {
1239 rfcomm_send_ua(s, 0);
1240
1241 if (s->state == BT_CONNECT)
1242 err = ECONNREFUSED;
1243 else
1244 err = ECONNRESET;
1245
1246 s->state = BT_CLOSED;
8ff52f7d 1247 s = rfcomm_session_close(s, err);
1da177e4 1248 }
8ff52f7d 1249 return s;
1da177e4
LT		 1250}
1251
bb23c0ab 1252void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1da177e4 1253{
300b9397 1254 struct sock *sk = d->session->sock->sk;
8c1d787b 1255 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
300b9397 1256
1da177e4
LT		 1257 BT_DBG("dlc %p", d);
1258
1259 rfcomm_send_ua(d->session, d->dlci);
1260
e2139b32
JH		 1261 rfcomm_dlc_clear_timer(d);
1262
1da177e4
LT		 1263 rfcomm_dlc_lock(d);
1264 d->state = BT_CONNECTED;
1265 d->state_change(d, 0);
1266 rfcomm_dlc_unlock(d);
1267
9f2c8a03 1268 if (d->role_switch)
8c1d787b 1269 hci_conn_switch_role(conn->hcon, 0x00);
300b9397 1270
1da177e4
LT		 1271 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1272}
1273
bb23c0ab
MH		 1274static void rfcomm_check_accept(struct rfcomm_dlc *d)
1275{
9f2c8a03 1276 if (rfcomm_check_security(d)) {
bb23c0ab
MH		 1277 if (d->defer_setup) {
1278 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1279 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
8bf47941
MH		 1280
1281 rfcomm_dlc_lock(d);
1282 d->state = BT_CONNECT2;
1283 d->state_change(d, 0);
1284 rfcomm_dlc_unlock(d);
bb23c0ab
MH		 1285 } else
1286 rfcomm_dlc_accept(d);
8c1b2355
MH		 1287 } else {
1288 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1289 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
bb23c0ab
MH		 1290 }
1291}
1292
1da177e4
LT		 1293static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1294{
1295 struct rfcomm_dlc *d;
1296 u8 channel;
1297
1298 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1299
1300 if (!dlci) {
1301 rfcomm_send_ua(s, 0);
1302
1303 if (s->state == BT_OPEN) {
1304 s->state = BT_CONNECTED;
1305 rfcomm_process_connect(s);
1306 }
1307 return 0;
1308 }
1309
1310 /* Check if DLC exists */
1311 d = rfcomm_dlc_get(s, dlci);
1312 if (d) {
1313 if (d->state == BT_OPEN) {
1314 /* DLC was previously opened by PN request */
bb23c0ab 1315 rfcomm_check_accept(d);
1da177e4
LT		 1316 }
1317 return 0;
1318 }
1319
1320 /* Notify socket layer about incoming connection */
1321 channel = __srv_channel(dlci);
1322 if (rfcomm_connect_ind(s, channel, &d)) {
1323 d->dlci = dlci;
1324 d->addr = __addr(s->initiator, dlci);
1325 rfcomm_dlc_link(s, d);
1326
bb23c0ab 1327 rfcomm_check_accept(d);
1da177e4
LT		 1328 } else {
1329 rfcomm_send_dm(s, dlci);
1330 }
1331
1332 return 0;
1333}
1334
1335static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1336{
1337 struct rfcomm_session *s = d->session;
1338
8e87d142 1339 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1da177e4
LT		 1340 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1341
7c2660b0
MH		 1342 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1343 pn->flow_ctrl == 0xe0) {
1344 d->cfc = RFCOMM_CFC_ENABLED;
1da177e4
LT		 1345 d->tx_credits = pn->credits;
1346 } else {
7c2660b0 1347 d->cfc = RFCOMM_CFC_DISABLED;
1da177e4
LT		 1348 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1349 }
1350
7c2660b0
MH		 1351 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1352 s->cfc = d->cfc;
1353
1da177e4
LT		 1354 d->priority = pn->priority;
1355
b4324b5d 1356 d->mtu = __le16_to_cpu(pn->mtu);
98bcd08b
MH		 1357
1358 if (cr && d->mtu > s->mtu)
1359 d->mtu = s->mtu;
1da177e4
LT		 1360
1361 return 0;
1362}
1363
1364static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1365{
1366 struct rfcomm_pn *pn = (void *) skb->data;
1367 struct rfcomm_dlc *d;
1368 u8 dlci = pn->dlci;
1369
1370 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1371
1372 if (!dlci)
1373 return 0;
1374
1375 d = rfcomm_dlc_get(s, dlci);
1376 if (d) {
1377 if (cr) {
1378 /* PN request */
1379 rfcomm_apply_pn(d, cr, pn);
1380 rfcomm_send_pn(s, 0, d);
1381 } else {
1382 /* PN response */
1383 switch (d->state) {
1384 case BT_CONFIG:
1385 rfcomm_apply_pn(d, cr, pn);
1386
1387 d->state = BT_CONNECT;
1388 rfcomm_send_sabm(s, d->dlci);
1389 break;
1390 }
1391 }
1392 } else {
1393 u8 channel = __srv_channel(dlci);
1394
1395 if (!cr)
1396 return 0;
1397
1398 /* PN request for non existing DLC.
1399 * Assume incoming connection. */
1400 if (rfcomm_connect_ind(s, channel, &d)) {
1401 d->dlci = dlci;
1402 d->addr = __addr(s->initiator, dlci);
1403 rfcomm_dlc_link(s, d);
1404
1405 rfcomm_apply_pn(d, cr, pn);
1406
1407 d->state = BT_OPEN;
1408 rfcomm_send_pn(s, 0, d);
1409 } else {
1410 rfcomm_send_dm(s, dlci);
1411 }
1412 }
1413 return 0;
1414}
1415
1416static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1417{
1418 struct rfcomm_rpn *rpn = (void *) skb->data;
1419 u8 dlci = __get_dlci(rpn->dlci);
1420
1421 u8 bit_rate = 0;
1422 u8 data_bits = 0;
1423 u8 stop_bits = 0;
1424 u8 parity = 0;
1425 u8 flow_ctrl = 0;
1426 u8 xon_char = 0;
1427 u8 xoff_char = 0;
1428 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
3a5e903c
S		 1429
1430 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1431 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1432 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1433
1434 if (!cr)
1da177e4 1435 return 0;
3a5e903c 1436
1da177e4 1437 if (len == 1) {
08601469
YK		 1438 /* This is a request, return default (according to ETSI TS 07.10) settings */
1439 bit_rate = RFCOMM_RPN_BR_9600;
1da177e4
LT		 1440 data_bits = RFCOMM_RPN_DATA_8;
1441 stop_bits = RFCOMM_RPN_STOP_1;
1442 parity = RFCOMM_RPN_PARITY_NONE;
1443 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1444 xon_char = RFCOMM_RPN_XON_CHAR;
1445 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1da177e4
LT		 1446 goto rpn_out;
1447 }
3a5e903c
S		 1448
1449 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1450 * no parity, no flow control lines, normal XON/XOFF chars */
1451
e8db8c99 1452 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1da177e4 1453 bit_rate = rpn->bit_rate;
08601469 1454 if (bit_rate > RFCOMM_RPN_BR_230400) {
1da177e4 1455 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
08601469 1456 bit_rate = RFCOMM_RPN_BR_9600;
1da177e4
LT		 1457 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1458 }
1459 }
3a5e903c 1460
e8db8c99 1461 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1da177e4
LT		 1462 data_bits = __get_rpn_data_bits(rpn->line_settings);
1463 if (data_bits != RFCOMM_RPN_DATA_8) {
1464 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1465 data_bits = RFCOMM_RPN_DATA_8;
1466 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1467 }
1468 }
3a5e903c 1469
e8db8c99 1470 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1da177e4
LT		 1471 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1472 if (stop_bits != RFCOMM_RPN_STOP_1) {
1473 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1474 stop_bits = RFCOMM_RPN_STOP_1;
1475 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1476 }
1477 }
3a5e903c 1478
e8db8c99 1479 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1da177e4
LT		 1480 parity = __get_rpn_parity(rpn->line_settings);
1481 if (parity != RFCOMM_RPN_PARITY_NONE) {
1482 BT_DBG("RPN parity mismatch 0x%x", parity);
1483 parity = RFCOMM_RPN_PARITY_NONE;
1484 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1485 }
1486 }
3a5e903c 1487
e8db8c99 1488 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1da177e4
LT		 1489 flow_ctrl = rpn->flow_ctrl;
1490 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1491 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1492 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1493 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1494 }
1495 }
3a5e903c 1496
e8db8c99 1497 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1da177e4
LT		 1498 xon_char = rpn->xon_char;
1499 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1500 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1501 xon_char = RFCOMM_RPN_XON_CHAR;
1502 rpn_mask ^= RFCOMM_RPN_PM_XON;
1503 }
1504 }
3a5e903c 1505
e8db8c99 1506 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1da177e4
LT		 1507 xoff_char = rpn->xoff_char;
1508 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1509 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1510 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1511 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1512 }
1513 }
1514
1515rpn_out:
3a5e903c
S		 1516 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1517 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1da177e4
LT		 1518
1519 return 0;
1520}
1521
1522static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1523{
1524 struct rfcomm_rls *rls = (void *) skb->data;
1525 u8 dlci = __get_dlci(rls->dlci);
1526
1527 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
3a5e903c 1528
1da177e4
LT		 1529 if (!cr)
1530 return 0;
1531
3a5e903c
S		 1532 /* We should probably do something with this information here. But
1533 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1534 * mandatory to recognise and respond to RLS */
1da177e4
LT		 1535
1536 rfcomm_send_rls(s, 0, dlci, rls->status);
1537
1538 return 0;
1539}
1540
1541static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1542{
1543 struct rfcomm_msc *msc = (void *) skb->data;
1544 struct rfcomm_dlc *d;
1545 u8 dlci = __get_dlci(msc->dlci);
1546
1547 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1548
1549 d = rfcomm_dlc_get(s, dlci);
3a5e903c 1550 if (!d)
1da177e4
LT		 1551 return 0;
1552
1553 if (cr) {
1554 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1555 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1556 else
1557 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
3a5e903c 1558
1da177e4 1559 rfcomm_dlc_lock(d);
8b6b3da7
MH		 1560
1561 d->remote_v24_sig = msc->v24_sig;
1562
1da177e4
LT		 1563 if (d->modem_status)
1564 d->modem_status(d, msc->v24_sig);
8b6b3da7 1565
1da177e4 1566 rfcomm_dlc_unlock(d);
8e87d142 1567
1da177e4
LT		 1568 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1569
1570 d->mscex |= RFCOMM_MSCEX_RX;
3a5e903c 1571 } else
1da177e4
LT		 1572 d->mscex |= RFCOMM_MSCEX_TX;
1573
1574 return 0;
1575}
1576
1577static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1578{
1579 struct rfcomm_mcc *mcc = (void *) skb->data;
1580 u8 type, cr, len;
1581
1582 cr = __test_cr(mcc->type);
1583 type = __get_mcc_type(mcc->type);
1584 len = __get_mcc_len(mcc->len);
1585
1586 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1587
1588 skb_pull(skb, 2);
1589
1590 switch (type) {
1591 case RFCOMM_PN:
1592 rfcomm_recv_pn(s, cr, skb);
1593 break;
1594
1595 case RFCOMM_RPN:
1596 rfcomm_recv_rpn(s, cr, len, skb);
1597 break;
1598
1599 case RFCOMM_RLS:
1600 rfcomm_recv_rls(s, cr, skb);
1601 break;
1602
1603 case RFCOMM_MSC:
1604 rfcomm_recv_msc(s, cr, skb);
1605 break;
1606
1607 case RFCOMM_FCOFF:
1608 if (cr) {
1609 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1610 rfcomm_send_fcoff(s, 0);
1611 }
1612 break;
1613
1614 case RFCOMM_FCON:
1615 if (cr) {
1616 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1617 rfcomm_send_fcon(s, 0);
1618 }
1619 break;
1620
1621 case RFCOMM_TEST:
1622 if (cr)
1623 rfcomm_send_test(s, 0, skb->data, skb->len);
1624 break;
1625
1626 case RFCOMM_NSC:
1627 break;
1628
1629 default:
1630 BT_ERR("Unknown control type 0x%02x", type);
1631 rfcomm_send_nsc(s, cr, type);
1632 break;
1633 }
1634 return 0;
1635}
1636
1637static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1638{
1639 struct rfcomm_dlc *d;
1640
1641 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1642
1643 d = rfcomm_dlc_get(s, dlci);
1644 if (!d) {
1645 rfcomm_send_dm(s, dlci);
1646 goto drop;
1647 }
1648
1649 if (pf && d->cfc) {
1650 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1651
1652 d->tx_credits += credits;
1653 if (d->tx_credits)
1654 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1655 }
1656
1657 if (skb->len && d->state == BT_CONNECTED) {
1658 rfcomm_dlc_lock(d);
1659 d->rx_credits--;
1660 d->data_ready(d, skb);
1661 rfcomm_dlc_unlock(d);
1662 return 0;
1663 }
1664
1665drop:
1666 kfree_skb(skb);
1667 return 0;
1668}
1669
8ff52f7d
DJ		 1670static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1671 struct sk_buff *skb)
1da177e4
LT		 1672{
1673 struct rfcomm_hdr *hdr = (void *) skb->data;
1674 u8 type, dlci, fcs;
1675
8ff52f7d
DJ		 1676 if (!s) {
1677 /* no session, so free socket data */
1678 kfree_skb(skb);
1679 return s;
1680 }
1681
1da177e4
LT		 1682 dlci = __get_dlci(hdr->addr);
1683 type = __get_type(hdr->ctrl);
1684
1685 /* Trim FCS */
1686 skb->len--; skb->tail--;
27a884dc 1687 fcs = *(u8 *)skb_tail_pointer(skb);
1da177e4
LT		 1688
1689 if (__check_fcs(skb->data, type, fcs)) {
1690 BT_ERR("bad checksum in packet");
1691 kfree_skb(skb);
8ff52f7d 1692 return s;
1da177e4
LT		 1693 }
1694
1695 if (__test_ea(hdr->len))
1696 skb_pull(skb, 3);
1697 else
1698 skb_pull(skb, 4);
1699
1700 switch (type) {
1701 case RFCOMM_SABM:
1702 if (__test_pf(hdr->ctrl))
1703 rfcomm_recv_sabm(s, dlci);
1704 break;
1705
1706 case RFCOMM_DISC:
1707 if (__test_pf(hdr->ctrl))
8ff52f7d 1708 s = rfcomm_recv_disc(s, dlci);
1da177e4
LT		 1709 break;
1710
1711 case RFCOMM_UA:
1712 if (__test_pf(hdr->ctrl))
8ff52f7d 1713 s = rfcomm_recv_ua(s, dlci);
1da177e4
LT		 1714 break;
1715
1716 case RFCOMM_DM:
8ff52f7d 1717 s = rfcomm_recv_dm(s, dlci);
1da177e4
LT		 1718 break;
1719
1720 case RFCOMM_UIH:
8ff52f7d
DJ		 1721 if (dlci) {
1722 rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1723 return s;
1724 }
1da177e4
LT		 1725 rfcomm_recv_mcc(s, skb);
1726 break;
1727
1728 default:
5017d8dd 1729 BT_ERR("Unknown packet type 0x%02x", type);
1da177e4
LT		 1730 break;
1731 }
1732 kfree_skb(skb);
8ff52f7d 1733 return s;
1da177e4
LT		 1734}
1735
1736/* ---- Connection and data processing ---- */
1737
1738static void rfcomm_process_connect(struct rfcomm_session *s)
1739{
1740 struct rfcomm_dlc *d;
1741 struct list_head *p, *n;
1742
1743 BT_DBG("session %p state %ld", s, s->state);
1744
1745 list_for_each_safe(p, n, &s->dlcs) {
1746 d = list_entry(p, struct rfcomm_dlc, list);
1747 if (d->state == BT_CONFIG) {
1748 d->mtu = s->mtu;
9f2c8a03 1749 if (rfcomm_check_security(d)) {
8c1b2355
MH		 1750 rfcomm_send_pn(s, 1, d);
1751 } else {
77db1980
MH		 1752 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1753 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
8c1b2355 1754 }
1da177e4
LT		 1755 }
1756 }
1757}
1758
1759/* Send data queued for the DLC.
1760 * Return number of frames left in the queue.
1761 */
6039aa73 1762static int rfcomm_process_tx(struct rfcomm_dlc *d)
1da177e4
LT		 1763{
1764 struct sk_buff *skb;
1765 int err;
1766
8e87d142 1767 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1da177e4
LT		 1768 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1769
1770 /* Send pending MSC */
1771 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
8e87d142 1772 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1da177e4
LT		 1773
1774 if (d->cfc) {
8e87d142 1775 /* CFC enabled.
1da177e4
LT		 1776 * Give them some credits */
1777 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
8e87d142 1778 d->rx_credits <= (d->cfc >> 2)) {
1da177e4
LT		 1779 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1780 d->rx_credits = d->cfc;
1781 }
1782 } else {
1783 /* CFC disabled.
1784 * Give ourselves some credits */
1785 d->tx_credits = 5;
1786 }
1787
1788 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1789 return skb_queue_len(&d->tx_queue);
1790
1791 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
5436538f 1792 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1da177e4
LT		 1793 if (err < 0) {
1794 skb_queue_head(&d->tx_queue, skb);
1795 break;
1796 }
1797 kfree_skb(skb);
1798 d->tx_credits--;
1799 }
1800
1801 if (d->cfc && !d->tx_credits) {
1802 /* We're out of TX credits.
1803 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1804 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1805 }
1806
1807 return skb_queue_len(&d->tx_queue);
1808}
1809
6039aa73 1810static void rfcomm_process_dlcs(struct rfcomm_session *s)
1da177e4
LT		 1811{
1812 struct rfcomm_dlc *d;
1813 struct list_head *p, *n;
1814
1815 BT_DBG("session %p state %ld", s, s->state);
1816
1817 list_for_each_safe(p, n, &s->dlcs) {
1818 d = list_entry(p, struct rfcomm_dlc, list);
1819
1820 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1821 __rfcomm_dlc_close(d, ETIMEDOUT);
1822 continue;
1823 }
1824
db54467a
SJ		 1825 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1826 __rfcomm_dlc_close(d, ECONNREFUSED);
1827 continue;
1828 }
1829
1da177e4
LT		 1830 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1831 rfcomm_dlc_clear_timer(d);
77db1980
MH		 1832 if (d->out) {
1833 rfcomm_send_pn(s, 1, d);
1834 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
bb23c0ab
MH		 1835 } else {
1836 if (d->defer_setup) {
1837 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1838 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
8bf47941
MH		 1839
1840 rfcomm_dlc_lock(d);
1841 d->state = BT_CONNECT2;
1842 d->state_change(d, 0);
1843 rfcomm_dlc_unlock(d);
bb23c0ab
MH		 1844 } else
1845 rfcomm_dlc_accept(d);
1846 }
1da177e4
LT		 1847 continue;
1848 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1849 rfcomm_dlc_clear_timer(d);
77db1980
MH		 1850 if (!d->out)
1851 rfcomm_send_dm(s, d->dlci);
1852 else
1853 d->state = BT_CLOSED;
1da177e4
LT		 1854 __rfcomm_dlc_close(d, ECONNREFUSED);
1855 continue;
1856 }
1857
6e1031a4
JG		 1858 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1859 continue;
1860
1da177e4
LT		 1861 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1862 continue;
1863
1864 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
77db1980 1865 d->mscex == RFCOMM_MSCEX_OK)
1da177e4
LT		 1866 rfcomm_process_tx(d);
1867 }
1868}
1869
8ff52f7d 1870static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1da177e4
LT		 1871{
1872 struct socket *sock = s->sock;
1873 struct sock *sk = sock->sk;
1874 struct sk_buff *skb;
1875
1876 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1877
1878 /* Get data directly from socket receive queue without copying it. */
1879 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1880 skb_orphan(skb);
44935720 1881 if (!skb_linearize(skb))
8ff52f7d 1882 s = rfcomm_recv_frame(s, skb);
44935720
MM		 1883 else
1884 kfree_skb(skb);
1da177e4
LT		 1885 }
1886
8ff52f7d 1887 if (s && (sk->sk_state == BT_CLOSED)) {
1da177e4 1888 if (!s->initiator)
8ff52f7d 1889 s = rfcomm_session_put(s);
1da177e4 1890
8ff52f7d
DJ		 1891 if (s)
1892 s = rfcomm_session_close(s, sk->sk_err);
1da177e4 1893 }
8ff52f7d
DJ		 1894
1895 return s;
1da177e4
LT		 1896}
1897
6039aa73 1898static void rfcomm_accept_connection(struct rfcomm_session *s)
1da177e4
LT		 1899{
1900 struct socket *sock = s->sock, *nsock;
1901 int err;
1902
1903 /* Fast check for a new connection.
1904 * Avoids unnesesary socket allocations. */
1905 if (list_empty(&bt_sk(sock->sk)->accept_q))
1906 return;
1907
1908 BT_DBG("session %p", s);
1909
48db9ca4
MH		 1910 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1911 if (err < 0)
1da177e4
LT		 1912 return;
1913
1da177e4
LT		 1914 /* Set our callbacks */
1915 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1916 nsock->sk->sk_state_change = rfcomm_l2state_change;
1917
1918 s = rfcomm_session_add(nsock, BT_OPEN);
1919 if (s) {
1920 rfcomm_session_hold(s);
98bcd08b
MH		 1921
1922 /* We should adjust MTU on incoming sessions.
1923 * L2CAP MTU minus UIH header and FCS. */
0c1bc5c6
GP		 1924 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1925 l2cap_pi(nsock->sk)->chan->imtu) - 5;
98bcd08b 1926
534c92fd 1927 rfcomm_schedule();
1da177e4
LT		 1928 } else
1929 sock_release(nsock);
1930}
1931
8ff52f7d 1932static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1da177e4
LT		 1933{
1934 struct sock *sk = s->sock->sk;
1935
1936 BT_DBG("%p state %ld", s, s->state);
1937
285b4e90 1938 switch (sk->sk_state) {
1da177e4
LT		 1939 case BT_CONNECTED:
1940 s->state = BT_CONNECT;
1941
1942 /* We can adjust MTU on outgoing sessions.
1943 * L2CAP MTU minus UIH header and FCS. */
0c1bc5c6 1944 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1da177e4
LT		 1945
1946 rfcomm_send_sabm(s, 0);
1947 break;
1948
1949 case BT_CLOSED:
1950 s->state = BT_CLOSED;
8ff52f7d 1951 s = rfcomm_session_close(s, sk->sk_err);
1da177e4
LT		 1952 break;
1953 }
8ff52f7d 1954 return s;
1da177e4
LT		 1955}
1956
6039aa73 1957static void rfcomm_process_sessions(void)
1da177e4
LT		 1958{
1959 struct list_head *p, *n;
1960
1961 rfcomm_lock();
1962
1963 list_for_each_safe(p, n, &session_list) {
1964 struct rfcomm_session *s;
1965 s = list_entry(p, struct rfcomm_session, list);
1966
9e726b17
LAD		 1967 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1968 s->state = BT_DISCONN;
1969 rfcomm_send_disc(s, 0);
485f1eff 1970 rfcomm_session_put(s);
9e726b17
LAD		 1971 continue;
1972 }
1973
1da177e4
LT		 1974 if (s->state == BT_LISTEN) {
1975 rfcomm_accept_connection(s);
1976 continue;
1977 }
1978
1979 rfcomm_session_hold(s);
1980
1981 switch (s->state) {
1982 case BT_BOUND:
8ff52f7d 1983 s = rfcomm_check_connection(s);
1da177e4
LT		 1984 break;
1985
1986 default:
8ff52f7d 1987 s = rfcomm_process_rx(s);
1da177e4
LT		 1988 break;
1989 }
1990
8ff52f7d
DJ		 1991 if (s)
1992 rfcomm_process_dlcs(s);
1da177e4
LT		 1993
1994 rfcomm_session_put(s);
1995 }
1996
1997 rfcomm_unlock();
1998}
1999
1da177e4
LT		 2000static int rfcomm_add_listener(bdaddr_t *ba)
2001{
2002 struct sockaddr_l2 addr;
2003 struct socket *sock;
2004 struct sock *sk;
2005 struct rfcomm_session *s;
2006 int err = 0;
2007
2008 /* Create socket */
2009 err = rfcomm_l2sock_create(&sock);
8e87d142 2010 if (err < 0) {
1da177e4
LT		 2011 BT_ERR("Create socket failed %d", err);
2012 return err;
2013 }
2014
2015 /* Bind socket */
2016 bacpy(&addr.l2_bdaddr, ba);
2017 addr.l2_family = AF_BLUETOOTH;
5bcb8094 2018 addr.l2_psm = __constant_cpu_to_le16(RFCOMM_PSM);
37e62f55 2019 addr.l2_cid = 0;
48db9ca4 2020 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1da177e4
LT		 2021 if (err < 0) {
2022 BT_ERR("Bind failed %d", err);
2023 goto failed;
2024 }
2025
2026 /* Set L2CAP options */
2027 sk = sock->sk;
2028 lock_sock(sk);
0c1bc5c6 2029 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
1da177e4
LT		 2030 release_sock(sk);
2031
2032 /* Start listening on the socket */
48db9ca4 2033 err = kernel_listen(sock, 10);
1da177e4
LT		 2034 if (err) {
2035 BT_ERR("Listen failed %d", err);
2036 goto failed;
2037 }
2038
2039 /* Add listening session */
2040 s = rfcomm_session_add(sock, BT_LISTEN);
2041 if (!s)
2042 goto failed;
2043
2044 rfcomm_session_hold(s);
2045 return 0;
2046failed:
2047 sock_release(sock);
2048 return err;
2049}
2050
2051static void rfcomm_kill_listener(void)
2052{
2053 struct rfcomm_session *s;
2054 struct list_head *p, *n;
2055
2056 BT_DBG("");
2057
2058 list_for_each_safe(p, n, &session_list) {
2059 s = list_entry(p, struct rfcomm_session, list);
2060 rfcomm_session_del(s);
2061 }
2062}
2063
2064static int rfcomm_run(void *unused)
2065{
a524eccc 2066 BT_DBG("");
1da177e4 2067
1da177e4 2068 set_user_nice(current, -10);
1da177e4 2069
1da177e4
LT		 2070 rfcomm_add_listener(BDADDR_ANY);
2071
e5842cdb 2072 while (1) {
a524eccc 2073 set_current_state(TASK_INTERRUPTIBLE);
e5842cdb
PH		 2074
2075 if (kthread_should_stop())
2076 break;
a524eccc
MH		 2077
2078 /* Process stuff */
a524eccc 2079 rfcomm_process_sessions();
e5842cdb
PH		 2080
2081 schedule();
a524eccc 2082 }
e5842cdb 2083 __set_current_state(TASK_RUNNING);
1da177e4
LT		 2084
2085 rfcomm_kill_listener();
2086
1da177e4
LT		 2087 return 0;
2088}
2089
8c1b2355 2090static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
1da177e4
LT		 2091{
2092 struct rfcomm_session *s;
2093 struct rfcomm_dlc *d;
2094 struct list_head *p, *n;
2095
2096 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2097
2098 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2099 if (!s)
2100 return;
2101
2102 rfcomm_session_hold(s);
2103
2104 list_for_each_safe(p, n, &s->dlcs) {
2105 d = list_entry(p, struct rfcomm_dlc, list);
2106
8c84b830
MH		 2107 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2108 rfcomm_dlc_clear_timer(d);
2109 if (status || encrypt == 0x00) {
db54467a 2110 set_bit(RFCOMM_ENC_DROP, &d->flags);
8c84b830
MH		 2111 continue;
2112 }
2113 }
2114
2115 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2116 if (d->sec_level == BT_SECURITY_MEDIUM) {
2117 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2118 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2119 continue;
2120 } else if (d->sec_level == BT_SECURITY_HIGH) {
db54467a 2121 set_bit(RFCOMM_ENC_DROP, &d->flags);
8c84b830
MH		 2122 continue;
2123 }
9719f8af
MH		 2124 }
2125
1da177e4
LT		 2126 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2127 continue;
2128
b3b1b061 2129 if (!status && hci_conn_check_secure(conn, d->sec_level))
1da177e4
LT		 2130 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2131 else
2132 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2133 }
2134
2135 rfcomm_session_put(s);
2136
534c92fd 2137 rfcomm_schedule();
1da177e4
LT		 2138}
2139
2140static struct hci_cb rfcomm_cb = {
2141 .name = "RFCOMM",
8c1b2355 2142 .security_cfm = rfcomm_security_cfm
1da177e4
LT		 2143};
2144
aef7d97c 2145static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
1da177e4
LT		 2146{
2147 struct rfcomm_session *s;
1da177e4
LT		 2148
2149 rfcomm_lock();
2150
8035ded4
LAD		 2151 list_for_each_entry(s, &session_list, list) {
2152 struct rfcomm_dlc *d;
2153 list_for_each_entry(d, &s->dlcs, list) {
be9d1227 2154 struct sock *sk = s->sock->sk;
1da177e4 2155
fcb73338
AE		 2156 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2157 &bt_sk(sk)->src, &bt_sk(sk)->dst,
2158 d->state, d->dlci, d->mtu,
2159 d->rx_credits, d->tx_credits);
1da177e4
LT		 2160 }
2161 }
1da177e4 2162
1da177e4 2163 rfcomm_unlock();
1da177e4 2164
aef7d97c
MH		 2165 return 0;
2166}
2167
2168static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2169{
2170 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
1da177e4
LT		 2171}
2172
aef7d97c
MH		 2173static const struct file_operations rfcomm_dlc_debugfs_fops = {
2174 .open = rfcomm_dlc_debugfs_open,
2175 .read = seq_read,
2176 .llseek = seq_lseek,
2177 .release = single_release,
2178};
2179
2180static struct dentry *rfcomm_dlc_debugfs;
1da177e4
LT		 2181
2182/* ---- Initialization ---- */
2183static int __init rfcomm_init(void)
2184{
52d18347 2185 int err;
af0d3b10 2186
1da177e4
LT		 2187 hci_register_cb(&rfcomm_cb);
2188
a524eccc
MH		 2189 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2190 if (IS_ERR(rfcomm_thread)) {
52d18347
MH		 2191 err = PTR_ERR(rfcomm_thread);
2192 goto unregister;
a524eccc 2193 }
1da177e4 2194
aef7d97c
MH		 2195 if (bt_debugfs) {
2196 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2197 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2198 if (!rfcomm_dlc_debugfs)
2199 BT_ERR("Failed to create RFCOMM debug file");
2200 }
1da177e4 2201
52d18347
MH		 2202 err = rfcomm_init_ttys();
2203 if (err < 0)
2204 goto stop;
1da177e4 2205
52d18347
MH		 2206 err = rfcomm_init_sockets();
2207 if (err < 0)
2208 goto cleanup;
1da177e4 2209
be9d1227
MH		 2210 BT_INFO("RFCOMM ver %s", VERSION);
2211
1da177e4 2212 return 0;
af0d3b10 2213
52d18347 2214cleanup:
af0d3b10 2215 rfcomm_cleanup_ttys();
52d18347
MH		 2216
2217stop:
af0d3b10 2218 kthread_stop(rfcomm_thread);
52d18347
MH		 2219
2220unregister:
af0d3b10
DY		 2221 hci_unregister_cb(&rfcomm_cb);
2222
52d18347 2223 return err;
1da177e4
LT		 2224}
2225
2226static void __exit rfcomm_exit(void)
2227{
aef7d97c 2228 debugfs_remove(rfcomm_dlc_debugfs);
be9d1227 2229
1da177e4
LT		 2230 hci_unregister_cb(&rfcomm_cb);
2231
a524eccc 2232 kthread_stop(rfcomm_thread);
1da177e4 2233
1da177e4 2234 rfcomm_cleanup_ttys();
1da177e4
LT		 2235
2236 rfcomm_cleanup_sockets();
1da177e4
LT		 2237}
2238
2239module_init(rfcomm_init);
2240module_exit(rfcomm_exit);
2241
7c2660b0
MH		 2242module_param(disable_cfc, bool, 0644);
2243MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2244
98bcd08b
MH		 2245module_param(channel_mtu, int, 0644);
2246MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2247
56f3a40a
MH		 2248module_param(l2cap_mtu, uint, 0644);
2249MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2250
eae38eed
MH		 2251module_param(l2cap_ertm, bool, 0644);
2252MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2253
63fbd24e 2254MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 2255MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2256MODULE_VERSION(VERSION);
2257MODULE_LICENSE("GPL");
2258MODULE_ALIAS("bt-proto-3");
kernel source for telekom puls (alcatel/mediatek)