projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Check rfcomm session and DLC exists on socket close
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / rfcomm / core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
8e87d142
YH		 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 21 SOFTWARE IS DISCLAIMED.
22*/
23
1da177e4
LT		 24/*
25 * Bluetooth RFCOMM core.
1da177e4
LT		 26 */
27
1da177e4 28#include <linux/module.h>
aef7d97c 29#include <linux/debugfs.h>
a524eccc 30#include <linux/kthread.h>
1da177e4
LT		 31#include <asm/unaligned.h>
32
33#include <net/bluetooth/bluetooth.h>
34#include <net/bluetooth/hci_core.h>
35#include <net/bluetooth/l2cap.h>
36#include <net/bluetooth/rfcomm.h>
37
5f9018af 38#define VERSION "1.11"
56f3a40a 39
eb939922
RR		 40static bool disable_cfc;
41static bool l2cap_ertm;
98bcd08b 42static int channel_mtu = -1;
56f3a40a
MH		 43static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44
1da177e4
LT		 45static struct task_struct *rfcomm_thread;
46
4a3e2f71
AV		 47static DEFINE_MUTEX(rfcomm_mutex);
48#define rfcomm_lock() mutex_lock(&rfcomm_mutex)
49#define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
1da177e4 50
1da177e4
LT		 51
52static LIST_HEAD(session_list);
1da177e4 53
5436538f 54static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
1da177e4
LT		 55static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64
65static void rfcomm_process_connect(struct rfcomm_session *s);
66
63ce0900
LAD		 67static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68 bdaddr_t *dst,
69 u8 sec_level,
70 int *err);
1da177e4
LT		 71static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
72static void rfcomm_session_del(struct rfcomm_session *s);
73
74/* ---- RFCOMM frame parsing macros ---- */
75#define __get_dlci(b) ((b & 0xfc) >> 2)
76#define __get_channel(b) ((b & 0xf8) >> 3)
77#define __get_dir(b) ((b & 0x04) >> 2)
78#define __get_type(b) ((b & 0xef))
79
80#define __test_ea(b) ((b & 0x01))
81#define __test_cr(b) ((b & 0x02))
82#define __test_pf(b) ((b & 0x10))
83
84#define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
85#define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
86#define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
87#define __srv_channel(dlci) (dlci >> 1)
88#define __dir(dlci) (dlci & 0x01)
89
90#define __len8(len) (((len) << 1) | 1)
91#define __len16(len) ((len) << 1)
92
93/* MCC macros */
94#define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
95#define __get_mcc_type(b) ((b & 0xfc) >> 2)
96#define __get_mcc_len(b) ((b & 0xfe) >> 1)
97
98/* RPN macros */
3a5e903c 99#define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
1da177e4
LT		 100#define __get_rpn_data_bits(line) ((line) & 0x3)
101#define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
3a5e903c 102#define __get_rpn_parity(line) (((line) >> 3) & 0x7)
1da177e4 103
6039aa73 104static void rfcomm_schedule(void)
1da177e4
LT		 105{
106 if (!rfcomm_thread)
107 return;
1da177e4
LT		 108 wake_up_process(rfcomm_thread);
109}
110
6039aa73 111static void rfcomm_session_put(struct rfcomm_session *s)
1da177e4
LT		 112{
113 if (atomic_dec_and_test(&s->refcnt))
114 rfcomm_session_del(s);
115}
116
117/* ---- RFCOMM FCS computation ---- */
118
408c1ce2 119/* reversed, 8-bit, poly=0x07 */
8e87d142 120static unsigned char rfcomm_crc_table[256] = {
408c1ce2
MH		 121 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
122 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
123 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
124 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
125
126 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
127 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
128 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
129 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
130
131 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
132 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
133 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
134 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
135
136 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
137 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
138 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
139 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
140
141 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
142 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
143 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
144 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
145
146 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
147 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
148 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
149 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
150
151 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
152 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
153 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
154 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
155
156 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
157 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
158 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
159 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
160};
161
1da177e4
LT		 162/* CRC on 2 bytes */
163#define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
164
8e87d142 165/* FCS on 2 bytes */
1da177e4
LT		 166static inline u8 __fcs(u8 *data)
167{
a02cec21 168 return 0xff - __crc(data);
1da177e4
LT		 169}
170
8e87d142 171/* FCS on 3 bytes */
1da177e4
LT		 172static inline u8 __fcs2(u8 *data)
173{
a02cec21 174 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
1da177e4
LT		 175}
176
177/* Check FCS */
178static inline int __check_fcs(u8 *data, int type, u8 fcs)
179{
180 u8 f = __crc(data);
181
182 if (type != RFCOMM_UIH)
183 f = rfcomm_crc_table[f ^ data[2]];
184
185 return rfcomm_crc_table[f ^ fcs] != 0xcf;
186}
187
188/* ---- L2CAP callbacks ---- */
189static void rfcomm_l2state_change(struct sock *sk)
190{
191 BT_DBG("%p state %d", sk, sk->sk_state);
534c92fd 192 rfcomm_schedule();
1da177e4
LT		 193}
194
195static void rfcomm_l2data_ready(struct sock *sk, int bytes)
196{
197 BT_DBG("%p bytes %d", sk, bytes);
534c92fd 198 rfcomm_schedule();
1da177e4
LT		 199}
200
201static int rfcomm_l2sock_create(struct socket **sock)
202{
203 int err;
204
205 BT_DBG("");
206
207 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
208 if (!err) {
209 struct sock *sk = (*sock)->sk;
210 sk->sk_data_ready = rfcomm_l2data_ready;
211 sk->sk_state_change = rfcomm_l2state_change;
212 }
213 return err;
214}
215
6039aa73 216static int rfcomm_check_security(struct rfcomm_dlc *d)
77db1980
MH		 217{
218 struct sock *sk = d->session->sock->sk;
8c1d787b
GP		 219 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
220
0684e5f9
MH		 221 __u8 auth_type;
222
223 switch (d->sec_level) {
224 case BT_SECURITY_HIGH:
225 auth_type = HCI_AT_GENERAL_BONDING_MITM;
226 break;
227 case BT_SECURITY_MEDIUM:
228 auth_type = HCI_AT_GENERAL_BONDING;
229 break;
230 default:
231 auth_type = HCI_AT_NO_BONDING;
232 break;
233 }
77db1980 234
8c1d787b 235 return hci_conn_security(conn->hcon, d->sec_level, auth_type);
77db1980
MH		 236}
237
9e726b17
LAD		 238static void rfcomm_session_timeout(unsigned long arg)
239{
240 struct rfcomm_session *s = (void *) arg;
241
242 BT_DBG("session %p state %ld", s, s->state);
243
244 set_bit(RFCOMM_TIMED_OUT, &s->flags);
534c92fd 245 rfcomm_schedule();
9e726b17
LAD		 246}
247
248static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
249{
250 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
251
252 if (!mod_timer(&s->timer, jiffies + timeout))
253 rfcomm_session_hold(s);
254}
255
256static void rfcomm_session_clear_timer(struct rfcomm_session *s)
257{
258 BT_DBG("session %p state %ld", s, s->state);
259
fea7b02f 260 if (del_timer_sync(&s->timer))
9e726b17
LAD		 261 rfcomm_session_put(s);
262}
263
1da177e4
LT		 264/* ---- RFCOMM DLCs ---- */
265static void rfcomm_dlc_timeout(unsigned long arg)
266{
267 struct rfcomm_dlc *d = (void *) arg;
268
269 BT_DBG("dlc %p state %ld", d, d->state);
270
271 set_bit(RFCOMM_TIMED_OUT, &d->flags);
272 rfcomm_dlc_put(d);
534c92fd 273 rfcomm_schedule();
1da177e4
LT		 274}
275
276static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
277{
278 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
279
280 if (!mod_timer(&d->timer, jiffies + timeout))
281 rfcomm_dlc_hold(d);
282}
283
284static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
285{
286 BT_DBG("dlc %p state %ld", d, d->state);
287
25cc4ae9 288 if (del_timer(&d->timer))
1da177e4
LT		 289 rfcomm_dlc_put(d);
290}
291
292static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
293{
294 BT_DBG("%p", d);
295
296 d->state = BT_OPEN;
297 d->flags = 0;
298 d->mscex = 0;
183f732c 299 d->sec_level = BT_SECURITY_LOW;
1da177e4
LT		 300 d->mtu = RFCOMM_DEFAULT_MTU;
301 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
302
303 d->cfc = RFCOMM_CFC_DISABLED;
304 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
305}
306
dd0fc66f 307struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
1da177e4 308{
25ea6db0
MH		 309 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
310
1da177e4
LT		 311 if (!d)
312 return NULL;
1da177e4 313
b24b8a24 314 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
1da177e4
LT		 315
316 skb_queue_head_init(&d->tx_queue);
317 spin_lock_init(&d->lock);
318 atomic_set(&d->refcnt, 1);
319
320 rfcomm_dlc_clear_state(d);
8e87d142 321
1da177e4 322 BT_DBG("%p", d);
25ea6db0 323
1da177e4
LT		 324 return d;
325}
326
327void rfcomm_dlc_free(struct rfcomm_dlc *d)
328{
329 BT_DBG("%p", d);
330
331 skb_queue_purge(&d->tx_queue);
332 kfree(d);
333}
334
335static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
336{
337 BT_DBG("dlc %p session %p", d, s);
338
339 rfcomm_session_hold(s);
340
9e726b17 341 rfcomm_session_clear_timer(s);
1da177e4
LT		 342 rfcomm_dlc_hold(d);
343 list_add(&d->list, &s->dlcs);
344 d->session = s;
345}
346
347static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
348{
349 struct rfcomm_session *s = d->session;
350
351 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
352
353 list_del(&d->list);
354 d->session = NULL;
355 rfcomm_dlc_put(d);
356
9e726b17
LAD		 357 if (list_empty(&s->dlcs))
358 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
359
1da177e4
LT		 360 rfcomm_session_put(s);
361}
362
363static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
364{
365 struct rfcomm_dlc *d;
1da177e4 366
8035ded4 367 list_for_each_entry(d, &s->dlcs, list)
1da177e4
LT		 368 if (d->dlci == dlci)
369 return d;
8035ded4 370
1da177e4
LT		 371 return NULL;
372}
373
374static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
375{
376 struct rfcomm_session *s;
377 int err = 0;
378 u8 dlci;
379
6ed93dc6
AE		 380 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
381 d, d->state, src, dst, channel);
1da177e4
LT		 382
383 if (channel < 1 || channel > 30)
384 return -EINVAL;
385
386 if (d->state != BT_OPEN && d->state != BT_CLOSED)
387 return 0;
388
389 s = rfcomm_session_get(src, dst);
390 if (!s) {
63ce0900 391 s = rfcomm_session_create(src, dst, d->sec_level, &err);
1da177e4
LT		 392 if (!s)
393 return err;
394 }
395
396 dlci = __dlci(!s->initiator, channel);
397
398 /* Check if DLCI already exists */
399 if (rfcomm_dlc_get(s, dlci))
400 return -EBUSY;
401
402 rfcomm_dlc_clear_state(d);
403
404 d->dlci = dlci;
405 d->addr = __addr(s->initiator, dlci);
406 d->priority = 7;
407
77db1980 408 d->state = BT_CONFIG;
1da177e4
LT		 409 rfcomm_dlc_link(s, d);
410
77db1980
MH		 411 d->out = 1;
412
1da177e4
LT		 413 d->mtu = s->mtu;
414 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
415
77db1980 416 if (s->state == BT_CONNECTED) {
9f2c8a03 417 if (rfcomm_check_security(d))
77db1980 418 rfcomm_send_pn(s, 1, d);
8c1b2355
MH		 419 else
420 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
77db1980
MH		 421 }
422
1da177e4 423 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
77db1980 424
1da177e4
LT		 425 return 0;
426}
427
428int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
429{
430 int r;
431
432 rfcomm_lock();
433
434 r = __rfcomm_dlc_open(d, src, dst, channel);
435
436 rfcomm_unlock();
437 return r;
438}
439
440static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
441{
442 struct rfcomm_session *s = d->session;
443 if (!s)
444 return 0;
445
446 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
447 d, d->state, d->dlci, err, s);
448
449 switch (d->state) {
1da177e4 450 case BT_CONNECT:
bb23c0ab
MH		 451 case BT_CONFIG:
452 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
453 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
534c92fd 454 rfcomm_schedule();
bb23c0ab
MH		 455 break;
456 }
457 /* Fall through */
458
459 case BT_CONNECTED:
1da177e4
LT		 460 d->state = BT_DISCONN;
461 if (skb_queue_empty(&d->tx_queue)) {
462 rfcomm_send_disc(s, d->dlci);
463 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
464 } else {
465 rfcomm_queue_disc(d);
466 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
467 }
468 break;
469
bb23c0ab 470 case BT_OPEN:
8bf47941 471 case BT_CONNECT2:
bb23c0ab
MH		 472 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
473 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
534c92fd 474 rfcomm_schedule();
bb23c0ab
MH		 475 break;
476 }
477 /* Fall through */
478
1da177e4
LT		 479 default:
480 rfcomm_dlc_clear_timer(d);
481
482 rfcomm_dlc_lock(d);
483 d->state = BT_CLOSED;
1905f6c7 484 d->state_change(d, err);
4c8411f8 485 rfcomm_dlc_unlock(d);
1da177e4
LT		 486
487 skb_queue_purge(&d->tx_queue);
1da177e4
LT		 488 rfcomm_dlc_unlink(d);
489 }
490
491 return 0;
492}
493
494int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
495{
c06f7d53
DJ		 496 int r = 0;
497 struct rfcomm_dlc *d_list;
498 struct rfcomm_session *s, *s_list;
499
500 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
1da177e4
LT		 501
502 rfcomm_lock();
503
c06f7d53
DJ		 504 s = d->session;
505 if (!s)
506 goto no_session;
507
508 /* after waiting on the mutex check the session still exists
509 * then check the dlc still exists
510 */
511 list_for_each_entry(s_list, &session_list, list) {
512 if (s_list == s) {
513 list_for_each_entry(d_list, &s->dlcs, list) {
514 if (d_list == d) {
515 r = __rfcomm_dlc_close(d, err);
516 break;
517 }
518 }
519 break;
520 }
521 }
1da177e4 522
c06f7d53 523no_session:
1da177e4
LT		 524 rfcomm_unlock();
525 return r;
526}
527
528int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
529{
530 int len = skb->len;
531
532 if (d->state != BT_CONNECTED)
533 return -ENOTCONN;
534
535 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
536
537 if (len > d->mtu)
538 return -EINVAL;
539
540 rfcomm_make_uih(skb, d->addr);
541 skb_queue_tail(&d->tx_queue, skb);
542
543 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
534c92fd 544 rfcomm_schedule();
1da177e4
LT		 545 return len;
546}
547
b5606c2d 548void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
1da177e4
LT		 549{
550 BT_DBG("dlc %p state %ld", d, d->state);
551
552 if (!d->cfc) {
553 d->v24_sig |= RFCOMM_V24_FC;
554 set_bit(RFCOMM_MSC_PENDING, &d->flags);
555 }
534c92fd 556 rfcomm_schedule();
1da177e4
LT		 557}
558
b5606c2d 559void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
1da177e4
LT		 560{
561 BT_DBG("dlc %p state %ld", d, d->state);
562
563 if (!d->cfc) {
564 d->v24_sig &= ~RFCOMM_V24_FC;
565 set_bit(RFCOMM_MSC_PENDING, &d->flags);
566 }
534c92fd 567 rfcomm_schedule();
1da177e4
LT		 568}
569
8e87d142 570/*
1da177e4
LT		 571 Set/get modem status functions use _local_ status i.e. what we report
572 to the other side.
573 Remote status is provided by dlc->modem_status() callback.
574 */
575int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
576{
8e87d142 577 BT_DBG("dlc %p state %ld v24_sig 0x%x",
1da177e4
LT		 578 d, d->state, v24_sig);
579
580 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
581 v24_sig |= RFCOMM_V24_FC;
582 else
583 v24_sig &= ~RFCOMM_V24_FC;
8e87d142 584
1da177e4
LT		 585 d->v24_sig = v24_sig;
586
587 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
534c92fd 588 rfcomm_schedule();
1da177e4
LT		 589
590 return 0;
591}
592
593int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
594{
8e87d142 595 BT_DBG("dlc %p state %ld v24_sig 0x%x",
1da177e4
LT		 596 d, d->state, d->v24_sig);
597
598 *v24_sig = d->v24_sig;
599 return 0;
600}
601
602/* ---- RFCOMM sessions ---- */
603static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
604{
25ea6db0
MH		 605 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
606
1da177e4
LT		 607 if (!s)
608 return NULL;
1da177e4
LT		 609
610 BT_DBG("session %p sock %p", s, sock);
611
9e726b17
LAD		 612 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
613
1da177e4
LT		 614 INIT_LIST_HEAD(&s->dlcs);
615 s->state = state;
616 s->sock = sock;
617
618 s->mtu = RFCOMM_DEFAULT_MTU;
7c2660b0 619 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
1da177e4
LT		 620
621 /* Do not increment module usage count for listening sessions.
622 * Otherwise we won't be able to unload the module. */
623 if (state != BT_LISTEN)
624 if (!try_module_get(THIS_MODULE)) {
625 kfree(s);
626 return NULL;
627 }
628
629 list_add(&s->list, &session_list);
630
631 return s;
632}
633
634static void rfcomm_session_del(struct rfcomm_session *s)
635{
636 int state = s->state;
637
638 BT_DBG("session %p state %ld", s, s->state);
639
640 list_del(&s->list);
641
642 if (state == BT_CONNECTED)
643 rfcomm_send_disc(s, 0);
644
9e726b17 645 rfcomm_session_clear_timer(s);
1da177e4
LT		 646 sock_release(s->sock);
647 kfree(s);
648
649 if (state != BT_LISTEN)
650 module_put(THIS_MODULE);
651}
652
653static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
654{
655 struct rfcomm_session *s;
656 struct list_head *p, *n;
657 struct bt_sock *sk;
658 list_for_each_safe(p, n, &session_list) {
659 s = list_entry(p, struct rfcomm_session, list);
8e87d142 660 sk = bt_sk(s->sock->sk);
1da177e4
LT		 661
662 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
663 !bacmp(&sk->dst, dst))
664 return s;
665 }
666 return NULL;
667}
668
669static void rfcomm_session_close(struct rfcomm_session *s, int err)
670{
671 struct rfcomm_dlc *d;
672 struct list_head *p, *n;
673
674 BT_DBG("session %p state %ld err %d", s, s->state, err);
675
676 rfcomm_session_hold(s);
677
678 s->state = BT_CLOSED;
679
680 /* Close all dlcs */
681 list_for_each_safe(p, n, &s->dlcs) {
682 d = list_entry(p, struct rfcomm_dlc, list);
683 d->state = BT_CLOSED;
684 __rfcomm_dlc_close(d, err);
685 }
686
9e726b17 687 rfcomm_session_clear_timer(s);
1da177e4
LT		 688 rfcomm_session_put(s);
689}
690
63ce0900
LAD		 691static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
692 bdaddr_t *dst,
693 u8 sec_level,
694 int *err)
1da177e4
LT		 695{
696 struct rfcomm_session *s = NULL;
697 struct sockaddr_l2 addr;
698 struct socket *sock;
699 struct sock *sk;
700
6ed93dc6 701 BT_DBG("%pMR -> %pMR", src, dst);
1da177e4
LT		 702
703 *err = rfcomm_l2sock_create(&sock);
704 if (*err < 0)
705 return NULL;
706
707 bacpy(&addr.l2_bdaddr, src);
708 addr.l2_family = AF_BLUETOOTH;
709 addr.l2_psm = 0;
37e62f55 710 addr.l2_cid = 0;
48db9ca4 711 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1da177e4
LT		 712 if (*err < 0)
713 goto failed;
714
715 /* Set L2CAP options */
716 sk = sock->sk;
717 lock_sock(sk);
0c1bc5c6 718 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
47d1ec61 719 l2cap_pi(sk)->chan->sec_level = sec_level;
eae38eed 720 if (l2cap_ertm)
0c1bc5c6 721 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
1da177e4
LT		 722 release_sock(sk);
723
724 s = rfcomm_session_add(sock, BT_BOUND);
725 if (!s) {
726 *err = -ENOMEM;
727 goto failed;
728 }
729
1da177e4
LT		 730 s->initiator = 1;
731
732 bacpy(&addr.l2_bdaddr, dst);
733 addr.l2_family = AF_BLUETOOTH;
5bcb8094 734 addr.l2_psm = __constant_cpu_to_le16(RFCOMM_PSM);
37e62f55 735 addr.l2_cid = 0;
48db9ca4 736 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
b4c612a4 737 if (*err == 0 || *err == -EINPROGRESS)
1da177e4
LT		 738 return s;
739
740 rfcomm_session_del(s);
741 return NULL;
742
743failed:
744 sock_release(sock);
745 return NULL;
746}
747
748void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
749{
750 struct sock *sk = s->sock->sk;
751 if (src)
752 bacpy(src, &bt_sk(sk)->src);
753 if (dst)
754 bacpy(dst, &bt_sk(sk)->dst);
755}
756
757/* ---- RFCOMM frame sending ---- */
5436538f 758static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
1da177e4 759{
1da177e4
LT		 760 struct kvec iv = { data, len };
761 struct msghdr msg;
762
5436538f 763 BT_DBG("session %p len %d", s, len);
1da177e4
LT		 764
765 memset(&msg, 0, sizeof(msg));
766
5436538f 767 return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
1da177e4
LT		 768}
769
262038fc
LAD		 770static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
771{
772 BT_DBG("%p cmd %u", s, cmd->ctrl);
773
5436538f 774 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
262038fc
LAD		 775}
776
1da177e4
LT		 777static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
778{
779 struct rfcomm_cmd cmd;
780
781 BT_DBG("%p dlci %d", s, dlci);
782
783 cmd.addr = __addr(s->initiator, dlci);
784 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
785 cmd.len = __len8(0);
786 cmd.fcs = __fcs2((u8 *) &cmd);
787
262038fc 788 return rfcomm_send_cmd(s, &cmd);
1da177e4
LT		 789}
790
791static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
792{
793 struct rfcomm_cmd cmd;
794
795 BT_DBG("%p dlci %d", s, dlci);
796
797 cmd.addr = __addr(!s->initiator, dlci);
798 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
799 cmd.len = __len8(0);
800 cmd.fcs = __fcs2((u8 *) &cmd);
801
262038fc 802 return rfcomm_send_cmd(s, &cmd);
1da177e4
LT		 803}
804
805static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
806{
807 struct rfcomm_cmd cmd;
808
809 BT_DBG("%p dlci %d", s, dlci);
810
811 cmd.addr = __addr(s->initiator, dlci);
812 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
813 cmd.len = __len8(0);
814 cmd.fcs = __fcs2((u8 *) &cmd);
815
262038fc 816 return rfcomm_send_cmd(s, &cmd);
1da177e4
LT		 817}
818
819static int rfcomm_queue_disc(struct rfcomm_dlc *d)
820{
821 struct rfcomm_cmd *cmd;
822 struct sk_buff *skb;
823
824 BT_DBG("dlc %p dlci %d", d, d->dlci);
825
826 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
827 if (!skb)
828 return -ENOMEM;
829
830 cmd = (void *) __skb_put(skb, sizeof(*cmd));
831 cmd->addr = d->addr;
832 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
833 cmd->len = __len8(0);
834 cmd->fcs = __fcs2((u8 *) cmd);
835
836 skb_queue_tail(&d->tx_queue, skb);
534c92fd 837 rfcomm_schedule();
1da177e4
LT		 838 return 0;
839}
840
841static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
842{
843 struct rfcomm_cmd cmd;
844
845 BT_DBG("%p dlci %d", s, dlci);
846
847 cmd.addr = __addr(!s->initiator, dlci);
848 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
849 cmd.len = __len8(0);
850 cmd.fcs = __fcs2((u8 *) &cmd);
851
262038fc 852 return rfcomm_send_cmd(s, &cmd);
1da177e4
LT		 853}
854
855static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
856{
857 struct rfcomm_hdr *hdr;
858 struct rfcomm_mcc *mcc;
859 u8 buf[16], *ptr = buf;
860
861 BT_DBG("%p cr %d type %d", s, cr, type);
862
863 hdr = (void *) ptr; ptr += sizeof(*hdr);
864 hdr->addr = __addr(s->initiator, 0);
865 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
866 hdr->len = __len8(sizeof(*mcc) + 1);
867
868 mcc = (void *) ptr; ptr += sizeof(*mcc);
869 mcc->type = __mcc_type(cr, RFCOMM_NSC);
870 mcc->len = __len8(1);
871
872 /* Type that we didn't like */
873 *ptr = __mcc_type(cr, type); ptr++;
874
875 *ptr = __fcs(buf); ptr++;
876
5436538f 877 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 878}
879
880static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
881{
882 struct rfcomm_hdr *hdr;
883 struct rfcomm_mcc *mcc;
884 struct rfcomm_pn *pn;
885 u8 buf[16], *ptr = buf;
886
887 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
888
889 hdr = (void *) ptr; ptr += sizeof(*hdr);
890 hdr->addr = __addr(s->initiator, 0);
891 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
892 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
893
894 mcc = (void *) ptr; ptr += sizeof(*mcc);
895 mcc->type = __mcc_type(cr, RFCOMM_PN);
896 mcc->len = __len8(sizeof(*pn));
897
898 pn = (void *) ptr; ptr += sizeof(*pn);
899 pn->dlci = d->dlci;
900 pn->priority = d->priority;
901 pn->ack_timer = 0;
902 pn->max_retrans = 0;
903
904 if (s->cfc) {
905 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
906 pn->credits = RFCOMM_DEFAULT_CREDITS;
907 } else {
908 pn->flow_ctrl = 0;
909 pn->credits = 0;
910 }
911
98bcd08b 912 if (cr && channel_mtu >= 0)
b4324b5d 913 pn->mtu = cpu_to_le16(channel_mtu);
98bcd08b 914 else
b4324b5d 915 pn->mtu = cpu_to_le16(d->mtu);
1da177e4
LT		 916
917 *ptr = __fcs(buf); ptr++;
918
5436538f 919 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 920}
921
3a5e903c
S		 922int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
923 u8 bit_rate, u8 data_bits, u8 stop_bits,
8e87d142 924 u8 parity, u8 flow_ctrl_settings,
3a5e903c 925 u8 xon_char, u8 xoff_char, u16 param_mask)
1da177e4
LT		 926{
927 struct rfcomm_hdr *hdr;
928 struct rfcomm_mcc *mcc;
929 struct rfcomm_rpn *rpn;
930 u8 buf[16], *ptr = buf;
931
932 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
8e87d142
YH		 933 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
934 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
3a5e903c 935 flow_ctrl_settings, xon_char, xoff_char, param_mask);
1da177e4
LT		 936
937 hdr = (void *) ptr; ptr += sizeof(*hdr);
938 hdr->addr = __addr(s->initiator, 0);
939 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
940 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
941
942 mcc = (void *) ptr; ptr += sizeof(*mcc);
943 mcc->type = __mcc_type(cr, RFCOMM_RPN);
944 mcc->len = __len8(sizeof(*rpn));
945
946 rpn = (void *) ptr; ptr += sizeof(*rpn);
947 rpn->dlci = __addr(1, dlci);
948 rpn->bit_rate = bit_rate;
949 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
950 rpn->flow_ctrl = flow_ctrl_settings;
951 rpn->xon_char = xon_char;
952 rpn->xoff_char = xoff_char;
e8db8c99 953 rpn->param_mask = cpu_to_le16(param_mask);
1da177e4
LT		 954
955 *ptr = __fcs(buf); ptr++;
956
5436538f 957 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 958}
959
960static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
961{
962 struct rfcomm_hdr *hdr;
963 struct rfcomm_mcc *mcc;
964 struct rfcomm_rls *rls;
965 u8 buf[16], *ptr = buf;
966
967 BT_DBG("%p cr %d status 0x%x", s, cr, status);
968
969 hdr = (void *) ptr; ptr += sizeof(*hdr);
970 hdr->addr = __addr(s->initiator, 0);
971 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
972 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
973
974 mcc = (void *) ptr; ptr += sizeof(*mcc);
975 mcc->type = __mcc_type(cr, RFCOMM_RLS);
976 mcc->len = __len8(sizeof(*rls));
977
978 rls = (void *) ptr; ptr += sizeof(*rls);
979 rls->dlci = __addr(1, dlci);
980 rls->status = status;
981
982 *ptr = __fcs(buf); ptr++;
983
5436538f 984 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 985}
986
987static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
988{
989 struct rfcomm_hdr *hdr;
990 struct rfcomm_mcc *mcc;
991 struct rfcomm_msc *msc;
992 u8 buf[16], *ptr = buf;
993
994 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
995
996 hdr = (void *) ptr; ptr += sizeof(*hdr);
997 hdr->addr = __addr(s->initiator, 0);
998 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
999 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
1000
1001 mcc = (void *) ptr; ptr += sizeof(*mcc);
1002 mcc->type = __mcc_type(cr, RFCOMM_MSC);
1003 mcc->len = __len8(sizeof(*msc));
1004
1005 msc = (void *) ptr; ptr += sizeof(*msc);
1006 msc->dlci = __addr(1, dlci);
1007 msc->v24_sig = v24_sig | 0x01;
1008
1009 *ptr = __fcs(buf); ptr++;
1010
5436538f 1011 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 1012}
1013
1014static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1015{
1016 struct rfcomm_hdr *hdr;
1017 struct rfcomm_mcc *mcc;
1018 u8 buf[16], *ptr = buf;
1019
1020 BT_DBG("%p cr %d", s, cr);
1021
1022 hdr = (void *) ptr; ptr += sizeof(*hdr);
1023 hdr->addr = __addr(s->initiator, 0);
1024 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1025 hdr->len = __len8(sizeof(*mcc));
1026
1027 mcc = (void *) ptr; ptr += sizeof(*mcc);
1028 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1029 mcc->len = __len8(0);
1030
1031 *ptr = __fcs(buf); ptr++;
1032
5436538f 1033 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 1034}
1035
1036static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1037{
1038 struct rfcomm_hdr *hdr;
1039 struct rfcomm_mcc *mcc;
1040 u8 buf[16], *ptr = buf;
1041
1042 BT_DBG("%p cr %d", s, cr);
1043
1044 hdr = (void *) ptr; ptr += sizeof(*hdr);
1045 hdr->addr = __addr(s->initiator, 0);
1046 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1047 hdr->len = __len8(sizeof(*mcc));
1048
1049 mcc = (void *) ptr; ptr += sizeof(*mcc);
1050 mcc->type = __mcc_type(cr, RFCOMM_FCON);
1051 mcc->len = __len8(0);
1052
1053 *ptr = __fcs(buf); ptr++;
1054
5436538f 1055 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 1056}
1057
1058static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1059{
1060 struct socket *sock = s->sock;
1061 struct kvec iv[3];
1062 struct msghdr msg;
1063 unsigned char hdr[5], crc[1];
1064
1065 if (len > 125)
1066 return -EINVAL;
1067
1068 BT_DBG("%p cr %d", s, cr);
1069
1070 hdr[0] = __addr(s->initiator, 0);
1071 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1072 hdr[2] = 0x01 | ((len + 2) << 1);
1073 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1074 hdr[4] = 0x01 | (len << 1);
1075
1076 crc[0] = __fcs(hdr);
1077
1078 iv[0].iov_base = hdr;
1079 iv[0].iov_len = 5;
1080 iv[1].iov_base = pattern;
1081 iv[1].iov_len = len;
1082 iv[2].iov_base = crc;
1083 iv[2].iov_len = 1;
1084
1085 memset(&msg, 0, sizeof(msg));
1086
1087 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1088}
1089
1090static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1091{
1092 struct rfcomm_hdr *hdr;
1093 u8 buf[16], *ptr = buf;
1094
1095 BT_DBG("%p addr %d credits %d", s, addr, credits);
1096
1097 hdr = (void *) ptr; ptr += sizeof(*hdr);
1098 hdr->addr = addr;
1099 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1100 hdr->len = __len8(0);
1101
1102 *ptr = credits; ptr++;
1103
1104 *ptr = __fcs(buf); ptr++;
1105
5436538f 1106 return rfcomm_send_frame(s, buf, ptr - buf);
1da177e4
LT		 1107}
1108
1109static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1110{
1111 struct rfcomm_hdr *hdr;
1112 int len = skb->len;
1113 u8 *crc;
1114
1115 if (len > 127) {
1116 hdr = (void *) skb_push(skb, 4);
b4324b5d 1117 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1da177e4
LT		 1118 } else {
1119 hdr = (void *) skb_push(skb, 3);
1120 hdr->len = __len8(len);
1121 }
1122 hdr->addr = addr;
1123 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1124
1125 crc = skb_put(skb, 1);
1126 *crc = __fcs((void *) hdr);
1127}
1128
1129/* ---- RFCOMM frame reception ---- */
1130static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1131{
1132 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1133
1134 if (dlci) {
1135 /* Data channel */
1136 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1137 if (!d) {
1138 rfcomm_send_dm(s, dlci);
1139 return 0;
1140 }
1141
1142 switch (d->state) {
1143 case BT_CONNECT:
1144 rfcomm_dlc_clear_timer(d);
1145
1146 rfcomm_dlc_lock(d);
1147 d->state = BT_CONNECTED;
1148 d->state_change(d, 0);
1149 rfcomm_dlc_unlock(d);
1150
1151 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1152 break;
1153
1154 case BT_DISCONN:
1155 d->state = BT_CLOSED;
1156 __rfcomm_dlc_close(d, 0);
9cf5b0ea
MH		 1157
1158 if (list_empty(&s->dlcs)) {
1159 s->state = BT_DISCONN;
1160 rfcomm_send_disc(s, 0);
79e65478 1161 rfcomm_session_clear_timer(s);
9cf5b0ea
MH		 1162 }
1163
1da177e4
LT		 1164 break;
1165 }
1166 } else {
1167 /* Control channel */
1168 switch (s->state) {
1169 case BT_CONNECT:
1170 s->state = BT_CONNECTED;
1171 rfcomm_process_connect(s);
1172 break;
9cf5b0ea
MH		 1173
1174 case BT_DISCONN:
cf33e77b
OP		 1175 /* rfcomm_session_put is called later so don't do
1176 * anything here otherwise we will mess up the session
1177 * reference counter:
1178 *
1179 * (a) when we are the initiator dlc_unlink will drive
1180 * the reference counter to 0 (there is no initial put
1181 * after session_add)
1182 *
1183 * (b) when we are not the initiator rfcomm_rx_process
1184 * will explicitly call put to balance the initial hold
1185 * done after session add.
1186 */
9cf5b0ea 1187 break;
1da177e4
LT		 1188 }
1189 }
1190 return 0;
1191}
1192
1193static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1194{
1195 int err = 0;
1196
1197 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1198
1199 if (dlci) {
1200 /* Data DLC */
1201 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1202 if (d) {
1203 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1204 err = ECONNREFUSED;
1205 else
1206 err = ECONNRESET;
1207
1208 d->state = BT_CLOSED;
1209 __rfcomm_dlc_close(d, err);
1210 }
1211 } else {
1212 if (s->state == BT_CONNECT)
1213 err = ECONNREFUSED;
1214 else
1215 err = ECONNRESET;
1216
1217 s->state = BT_CLOSED;
1218 rfcomm_session_close(s, err);
1219 }
1220 return 0;
1221}
1222
1223static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1224{
1225 int err = 0;
1226
1227 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1228
1229 if (dlci) {
1230 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1231 if (d) {
1232 rfcomm_send_ua(s, dlci);
1233
1234 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1235 err = ECONNREFUSED;
1236 else
1237 err = ECONNRESET;
1238
1239 d->state = BT_CLOSED;
1240 __rfcomm_dlc_close(d, err);
8e87d142 1241 } else
1da177e4 1242 rfcomm_send_dm(s, dlci);
8e87d142 1243
1da177e4
LT		 1244 } else {
1245 rfcomm_send_ua(s, 0);
1246
1247 if (s->state == BT_CONNECT)
1248 err = ECONNREFUSED;
1249 else
1250 err = ECONNRESET;
1251
1252 s->state = BT_CLOSED;
1253 rfcomm_session_close(s, err);
1254 }
1255
1256 return 0;
1257}
1258
bb23c0ab 1259void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1da177e4 1260{
300b9397 1261 struct sock *sk = d->session->sock->sk;
8c1d787b 1262 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
300b9397 1263
1da177e4
LT		 1264 BT_DBG("dlc %p", d);
1265
1266 rfcomm_send_ua(d->session, d->dlci);
1267
e2139b32
JH		 1268 rfcomm_dlc_clear_timer(d);
1269
1da177e4
LT		 1270 rfcomm_dlc_lock(d);
1271 d->state = BT_CONNECTED;
1272 d->state_change(d, 0);
1273 rfcomm_dlc_unlock(d);
1274
9f2c8a03 1275 if (d->role_switch)
8c1d787b 1276 hci_conn_switch_role(conn->hcon, 0x00);
300b9397 1277
1da177e4
LT		 1278 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1279}
1280
bb23c0ab
MH		 1281static void rfcomm_check_accept(struct rfcomm_dlc *d)
1282{
9f2c8a03 1283 if (rfcomm_check_security(d)) {
bb23c0ab
MH		 1284 if (d->defer_setup) {
1285 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1286 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
8bf47941
MH		 1287
1288 rfcomm_dlc_lock(d);
1289 d->state = BT_CONNECT2;
1290 d->state_change(d, 0);
1291 rfcomm_dlc_unlock(d);
bb23c0ab
MH		 1292 } else
1293 rfcomm_dlc_accept(d);
8c1b2355
MH		 1294 } else {
1295 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1296 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
bb23c0ab
MH		 1297 }
1298}
1299
1da177e4
LT		 1300static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1301{
1302 struct rfcomm_dlc *d;
1303 u8 channel;
1304
1305 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1306
1307 if (!dlci) {
1308 rfcomm_send_ua(s, 0);
1309
1310 if (s->state == BT_OPEN) {
1311 s->state = BT_CONNECTED;
1312 rfcomm_process_connect(s);
1313 }
1314 return 0;
1315 }
1316
1317 /* Check if DLC exists */
1318 d = rfcomm_dlc_get(s, dlci);
1319 if (d) {
1320 if (d->state == BT_OPEN) {
1321 /* DLC was previously opened by PN request */
bb23c0ab 1322 rfcomm_check_accept(d);
1da177e4
LT		 1323 }
1324 return 0;
1325 }
1326
1327 /* Notify socket layer about incoming connection */
1328 channel = __srv_channel(dlci);
1329 if (rfcomm_connect_ind(s, channel, &d)) {
1330 d->dlci = dlci;
1331 d->addr = __addr(s->initiator, dlci);
1332 rfcomm_dlc_link(s, d);
1333
bb23c0ab 1334 rfcomm_check_accept(d);
1da177e4
LT		 1335 } else {
1336 rfcomm_send_dm(s, dlci);
1337 }
1338
1339 return 0;
1340}
1341
1342static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1343{
1344 struct rfcomm_session *s = d->session;
1345
8e87d142 1346 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1da177e4
LT		 1347 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1348
7c2660b0
MH		 1349 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1350 pn->flow_ctrl == 0xe0) {
1351 d->cfc = RFCOMM_CFC_ENABLED;
1da177e4
LT		 1352 d->tx_credits = pn->credits;
1353 } else {
7c2660b0 1354 d->cfc = RFCOMM_CFC_DISABLED;
1da177e4
LT		 1355 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1356 }
1357
7c2660b0
MH		 1358 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1359 s->cfc = d->cfc;
1360
1da177e4
LT		 1361 d->priority = pn->priority;
1362
b4324b5d 1363 d->mtu = __le16_to_cpu(pn->mtu);
98bcd08b
MH		 1364
1365 if (cr && d->mtu > s->mtu)
1366 d->mtu = s->mtu;
1da177e4
LT		 1367
1368 return 0;
1369}
1370
1371static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1372{
1373 struct rfcomm_pn *pn = (void *) skb->data;
1374 struct rfcomm_dlc *d;
1375 u8 dlci = pn->dlci;
1376
1377 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1378
1379 if (!dlci)
1380 return 0;
1381
1382 d = rfcomm_dlc_get(s, dlci);
1383 if (d) {
1384 if (cr) {
1385 /* PN request */
1386 rfcomm_apply_pn(d, cr, pn);
1387 rfcomm_send_pn(s, 0, d);
1388 } else {
1389 /* PN response */
1390 switch (d->state) {
1391 case BT_CONFIG:
1392 rfcomm_apply_pn(d, cr, pn);
1393
1394 d->state = BT_CONNECT;
1395 rfcomm_send_sabm(s, d->dlci);
1396 break;
1397 }
1398 }
1399 } else {
1400 u8 channel = __srv_channel(dlci);
1401
1402 if (!cr)
1403 return 0;
1404
1405 /* PN request for non existing DLC.
1406 * Assume incoming connection. */
1407 if (rfcomm_connect_ind(s, channel, &d)) {
1408 d->dlci = dlci;
1409 d->addr = __addr(s->initiator, dlci);
1410 rfcomm_dlc_link(s, d);
1411
1412 rfcomm_apply_pn(d, cr, pn);
1413
1414 d->state = BT_OPEN;
1415 rfcomm_send_pn(s, 0, d);
1416 } else {
1417 rfcomm_send_dm(s, dlci);
1418 }
1419 }
1420 return 0;
1421}
1422
1423static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1424{
1425 struct rfcomm_rpn *rpn = (void *) skb->data;
1426 u8 dlci = __get_dlci(rpn->dlci);
1427
1428 u8 bit_rate = 0;
1429 u8 data_bits = 0;
1430 u8 stop_bits = 0;
1431 u8 parity = 0;
1432 u8 flow_ctrl = 0;
1433 u8 xon_char = 0;
1434 u8 xoff_char = 0;
1435 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
3a5e903c
S		 1436
1437 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1438 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1439 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1440
1441 if (!cr)
1da177e4 1442 return 0;
3a5e903c 1443
1da177e4 1444 if (len == 1) {
08601469
YK		 1445 /* This is a request, return default (according to ETSI TS 07.10) settings */
1446 bit_rate = RFCOMM_RPN_BR_9600;
1da177e4
LT		 1447 data_bits = RFCOMM_RPN_DATA_8;
1448 stop_bits = RFCOMM_RPN_STOP_1;
1449 parity = RFCOMM_RPN_PARITY_NONE;
1450 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1451 xon_char = RFCOMM_RPN_XON_CHAR;
1452 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1da177e4
LT		 1453 goto rpn_out;
1454 }
3a5e903c
S		 1455
1456 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1457 * no parity, no flow control lines, normal XON/XOFF chars */
1458
e8db8c99 1459 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1da177e4 1460 bit_rate = rpn->bit_rate;
08601469 1461 if (bit_rate > RFCOMM_RPN_BR_230400) {
1da177e4 1462 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
08601469 1463 bit_rate = RFCOMM_RPN_BR_9600;
1da177e4
LT		 1464 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1465 }
1466 }
3a5e903c 1467
e8db8c99 1468 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1da177e4
LT		 1469 data_bits = __get_rpn_data_bits(rpn->line_settings);
1470 if (data_bits != RFCOMM_RPN_DATA_8) {
1471 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1472 data_bits = RFCOMM_RPN_DATA_8;
1473 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1474 }
1475 }
3a5e903c 1476
e8db8c99 1477 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1da177e4
LT		 1478 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1479 if (stop_bits != RFCOMM_RPN_STOP_1) {
1480 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1481 stop_bits = RFCOMM_RPN_STOP_1;
1482 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1483 }
1484 }
3a5e903c 1485
e8db8c99 1486 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1da177e4
LT		 1487 parity = __get_rpn_parity(rpn->line_settings);
1488 if (parity != RFCOMM_RPN_PARITY_NONE) {
1489 BT_DBG("RPN parity mismatch 0x%x", parity);
1490 parity = RFCOMM_RPN_PARITY_NONE;
1491 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1492 }
1493 }
3a5e903c 1494
e8db8c99 1495 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1da177e4
LT		 1496 flow_ctrl = rpn->flow_ctrl;
1497 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1498 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1499 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1500 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1501 }
1502 }
3a5e903c 1503
e8db8c99 1504 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1da177e4
LT		 1505 xon_char = rpn->xon_char;
1506 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1507 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1508 xon_char = RFCOMM_RPN_XON_CHAR;
1509 rpn_mask ^= RFCOMM_RPN_PM_XON;
1510 }
1511 }
3a5e903c 1512
e8db8c99 1513 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1da177e4
LT		 1514 xoff_char = rpn->xoff_char;
1515 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1516 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1517 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1518 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1519 }
1520 }
1521
1522rpn_out:
3a5e903c
S		 1523 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1524 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1da177e4
LT		 1525
1526 return 0;
1527}
1528
1529static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1530{
1531 struct rfcomm_rls *rls = (void *) skb->data;
1532 u8 dlci = __get_dlci(rls->dlci);
1533
1534 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
3a5e903c 1535
1da177e4
LT		 1536 if (!cr)
1537 return 0;
1538
3a5e903c
S		 1539 /* We should probably do something with this information here. But
1540 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1541 * mandatory to recognise and respond to RLS */
1da177e4
LT		 1542
1543 rfcomm_send_rls(s, 0, dlci, rls->status);
1544
1545 return 0;
1546}
1547
1548static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1549{
1550 struct rfcomm_msc *msc = (void *) skb->data;
1551 struct rfcomm_dlc *d;
1552 u8 dlci = __get_dlci(msc->dlci);
1553
1554 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1555
1556 d = rfcomm_dlc_get(s, dlci);
3a5e903c 1557 if (!d)
1da177e4
LT		 1558 return 0;
1559
1560 if (cr) {
1561 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1562 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1563 else
1564 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
3a5e903c 1565
1da177e4 1566 rfcomm_dlc_lock(d);
8b6b3da7
MH		 1567
1568 d->remote_v24_sig = msc->v24_sig;
1569
1da177e4
LT		 1570 if (d->modem_status)
1571 d->modem_status(d, msc->v24_sig);
8b6b3da7 1572
1da177e4 1573 rfcomm_dlc_unlock(d);
8e87d142 1574
1da177e4
LT		 1575 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1576
1577 d->mscex |= RFCOMM_MSCEX_RX;
3a5e903c 1578 } else
1da177e4
LT		 1579 d->mscex |= RFCOMM_MSCEX_TX;
1580
1581 return 0;
1582}
1583
1584static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1585{
1586 struct rfcomm_mcc *mcc = (void *) skb->data;
1587 u8 type, cr, len;
1588
1589 cr = __test_cr(mcc->type);
1590 type = __get_mcc_type(mcc->type);
1591 len = __get_mcc_len(mcc->len);
1592
1593 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1594
1595 skb_pull(skb, 2);
1596
1597 switch (type) {
1598 case RFCOMM_PN:
1599 rfcomm_recv_pn(s, cr, skb);
1600 break;
1601
1602 case RFCOMM_RPN:
1603 rfcomm_recv_rpn(s, cr, len, skb);
1604 break;
1605
1606 case RFCOMM_RLS:
1607 rfcomm_recv_rls(s, cr, skb);
1608 break;
1609
1610 case RFCOMM_MSC:
1611 rfcomm_recv_msc(s, cr, skb);
1612 break;
1613
1614 case RFCOMM_FCOFF:
1615 if (cr) {
1616 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1617 rfcomm_send_fcoff(s, 0);
1618 }
1619 break;
1620
1621 case RFCOMM_FCON:
1622 if (cr) {
1623 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1624 rfcomm_send_fcon(s, 0);
1625 }
1626 break;
1627
1628 case RFCOMM_TEST:
1629 if (cr)
1630 rfcomm_send_test(s, 0, skb->data, skb->len);
1631 break;
1632
1633 case RFCOMM_NSC:
1634 break;
1635
1636 default:
1637 BT_ERR("Unknown control type 0x%02x", type);
1638 rfcomm_send_nsc(s, cr, type);
1639 break;
1640 }
1641 return 0;
1642}
1643
1644static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1645{
1646 struct rfcomm_dlc *d;
1647
1648 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1649
1650 d = rfcomm_dlc_get(s, dlci);
1651 if (!d) {
1652 rfcomm_send_dm(s, dlci);
1653 goto drop;
1654 }
1655
1656 if (pf && d->cfc) {
1657 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1658
1659 d->tx_credits += credits;
1660 if (d->tx_credits)
1661 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1662 }
1663
1664 if (skb->len && d->state == BT_CONNECTED) {
1665 rfcomm_dlc_lock(d);
1666 d->rx_credits--;
1667 d->data_ready(d, skb);
1668 rfcomm_dlc_unlock(d);
1669 return 0;
1670 }
1671
1672drop:
1673 kfree_skb(skb);
1674 return 0;
1675}
1676
1677static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1678{
1679 struct rfcomm_hdr *hdr = (void *) skb->data;
1680 u8 type, dlci, fcs;
1681
1682 dlci = __get_dlci(hdr->addr);
1683 type = __get_type(hdr->ctrl);
1684
1685 /* Trim FCS */
1686 skb->len--; skb->tail--;
27a884dc 1687 fcs = *(u8 *)skb_tail_pointer(skb);
1da177e4
LT		 1688
1689 if (__check_fcs(skb->data, type, fcs)) {
1690 BT_ERR("bad checksum in packet");
1691 kfree_skb(skb);
1692 return -EILSEQ;
1693 }
1694
1695 if (__test_ea(hdr->len))
1696 skb_pull(skb, 3);
1697 else
1698 skb_pull(skb, 4);
1699
1700 switch (type) {
1701 case RFCOMM_SABM:
1702 if (__test_pf(hdr->ctrl))
1703 rfcomm_recv_sabm(s, dlci);
1704 break;
1705
1706 case RFCOMM_DISC:
1707 if (__test_pf(hdr->ctrl))
1708 rfcomm_recv_disc(s, dlci);
1709 break;
1710
1711 case RFCOMM_UA:
1712 if (__test_pf(hdr->ctrl))
1713 rfcomm_recv_ua(s, dlci);
1714 break;
1715
1716 case RFCOMM_DM:
1717 rfcomm_recv_dm(s, dlci);
1718 break;
1719
1720 case RFCOMM_UIH:
1721 if (dlci)
1722 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1723
1724 rfcomm_recv_mcc(s, skb);
1725 break;
1726
1727 default:
5017d8dd 1728 BT_ERR("Unknown packet type 0x%02x", type);
1da177e4
LT		 1729 break;
1730 }
1731 kfree_skb(skb);
1732 return 0;
1733}
1734
1735/* ---- Connection and data processing ---- */
1736
1737static void rfcomm_process_connect(struct rfcomm_session *s)
1738{
1739 struct rfcomm_dlc *d;
1740 struct list_head *p, *n;
1741
1742 BT_DBG("session %p state %ld", s, s->state);
1743
1744 list_for_each_safe(p, n, &s->dlcs) {
1745 d = list_entry(p, struct rfcomm_dlc, list);
1746 if (d->state == BT_CONFIG) {
1747 d->mtu = s->mtu;
9f2c8a03 1748 if (rfcomm_check_security(d)) {
8c1b2355
MH		 1749 rfcomm_send_pn(s, 1, d);
1750 } else {
77db1980
MH		 1751 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1752 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
8c1b2355 1753 }
1da177e4
LT		 1754 }
1755 }
1756}
1757
1758/* Send data queued for the DLC.
1759 * Return number of frames left in the queue.
1760 */
6039aa73 1761static int rfcomm_process_tx(struct rfcomm_dlc *d)
1da177e4
LT		 1762{
1763 struct sk_buff *skb;
1764 int err;
1765
8e87d142 1766 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1da177e4
LT		 1767 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1768
1769 /* Send pending MSC */
1770 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
8e87d142 1771 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1da177e4
LT		 1772
1773 if (d->cfc) {
8e87d142 1774 /* CFC enabled.
1da177e4
LT		 1775 * Give them some credits */
1776 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
8e87d142 1777 d->rx_credits <= (d->cfc >> 2)) {
1da177e4
LT		 1778 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1779 d->rx_credits = d->cfc;
1780 }
1781 } else {
1782 /* CFC disabled.
1783 * Give ourselves some credits */
1784 d->tx_credits = 5;
1785 }
1786
1787 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1788 return skb_queue_len(&d->tx_queue);
1789
1790 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
5436538f 1791 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1da177e4
LT		 1792 if (err < 0) {
1793 skb_queue_head(&d->tx_queue, skb);
1794 break;
1795 }
1796 kfree_skb(skb);
1797 d->tx_credits--;
1798 }
1799
1800 if (d->cfc && !d->tx_credits) {
1801 /* We're out of TX credits.
1802 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1803 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1804 }
1805
1806 return skb_queue_len(&d->tx_queue);
1807}
1808
6039aa73 1809static void rfcomm_process_dlcs(struct rfcomm_session *s)
1da177e4
LT		 1810{
1811 struct rfcomm_dlc *d;
1812 struct list_head *p, *n;
1813
1814 BT_DBG("session %p state %ld", s, s->state);
1815
1816 list_for_each_safe(p, n, &s->dlcs) {
1817 d = list_entry(p, struct rfcomm_dlc, list);
1818
1819 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1820 __rfcomm_dlc_close(d, ETIMEDOUT);
1821 continue;
1822 }
1823
db54467a
SJ		 1824 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1825 __rfcomm_dlc_close(d, ECONNREFUSED);
1826 continue;
1827 }
1828
1da177e4
LT		 1829 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1830 rfcomm_dlc_clear_timer(d);
77db1980
MH		 1831 if (d->out) {
1832 rfcomm_send_pn(s, 1, d);
1833 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
bb23c0ab
MH		 1834 } else {
1835 if (d->defer_setup) {
1836 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1837 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
8bf47941
MH		 1838
1839 rfcomm_dlc_lock(d);
1840 d->state = BT_CONNECT2;
1841 d->state_change(d, 0);
1842 rfcomm_dlc_unlock(d);
bb23c0ab
MH		 1843 } else
1844 rfcomm_dlc_accept(d);
1845 }
1da177e4
LT		 1846 continue;
1847 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1848 rfcomm_dlc_clear_timer(d);
77db1980
MH		 1849 if (!d->out)
1850 rfcomm_send_dm(s, d->dlci);
1851 else
1852 d->state = BT_CLOSED;
1da177e4
LT		 1853 __rfcomm_dlc_close(d, ECONNREFUSED);
1854 continue;
1855 }
1856
6e1031a4
JG		 1857 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1858 continue;
1859
1da177e4
LT		 1860 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1861 continue;
1862
1863 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
77db1980 1864 d->mscex == RFCOMM_MSCEX_OK)
1da177e4
LT		 1865 rfcomm_process_tx(d);
1866 }
1867}
1868
6039aa73 1869static void rfcomm_process_rx(struct rfcomm_session *s)
1da177e4
LT		 1870{
1871 struct socket *sock = s->sock;
1872 struct sock *sk = sock->sk;
1873 struct sk_buff *skb;
1874
1875 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1876
1877 /* Get data directly from socket receive queue without copying it. */
1878 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1879 skb_orphan(skb);
44935720
MM		 1880 if (!skb_linearize(skb))
1881 rfcomm_recv_frame(s, skb);
1882 else
1883 kfree_skb(skb);
1da177e4
LT		 1884 }
1885
1886 if (sk->sk_state == BT_CLOSED) {
1887 if (!s->initiator)
1888 rfcomm_session_put(s);
1889
1890 rfcomm_session_close(s, sk->sk_err);
1891 }
1892}
1893
6039aa73 1894static void rfcomm_accept_connection(struct rfcomm_session *s)
1da177e4
LT		 1895{
1896 struct socket *sock = s->sock, *nsock;
1897 int err;
1898
1899 /* Fast check for a new connection.
1900 * Avoids unnesesary socket allocations. */
1901 if (list_empty(&bt_sk(sock->sk)->accept_q))
1902 return;
1903
1904 BT_DBG("session %p", s);
1905
48db9ca4
MH		 1906 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1907 if (err < 0)
1da177e4
LT		 1908 return;
1909
1da177e4
LT		 1910 /* Set our callbacks */
1911 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1912 nsock->sk->sk_state_change = rfcomm_l2state_change;
1913
1914 s = rfcomm_session_add(nsock, BT_OPEN);
1915 if (s) {
1916 rfcomm_session_hold(s);
98bcd08b
MH		 1917
1918 /* We should adjust MTU on incoming sessions.
1919 * L2CAP MTU minus UIH header and FCS. */
0c1bc5c6
GP		 1920 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1921 l2cap_pi(nsock->sk)->chan->imtu) - 5;
98bcd08b 1922
534c92fd 1923 rfcomm_schedule();
1da177e4
LT		 1924 } else
1925 sock_release(nsock);
1926}
1927
6039aa73 1928static void rfcomm_check_connection(struct rfcomm_session *s)
1da177e4
LT		 1929{
1930 struct sock *sk = s->sock->sk;
1931
1932 BT_DBG("%p state %ld", s, s->state);
1933
285b4e90 1934 switch (sk->sk_state) {
1da177e4
LT		 1935 case BT_CONNECTED:
1936 s->state = BT_CONNECT;
1937
1938 /* We can adjust MTU on outgoing sessions.
1939 * L2CAP MTU minus UIH header and FCS. */
0c1bc5c6 1940 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1da177e4
LT		 1941
1942 rfcomm_send_sabm(s, 0);
1943 break;
1944
1945 case BT_CLOSED:
1946 s->state = BT_CLOSED;
1947 rfcomm_session_close(s, sk->sk_err);
1948 break;
1949 }
1950}
1951
6039aa73 1952static void rfcomm_process_sessions(void)
1da177e4
LT		 1953{
1954 struct list_head *p, *n;
1955
1956 rfcomm_lock();
1957
1958 list_for_each_safe(p, n, &session_list) {
1959 struct rfcomm_session *s;
1960 s = list_entry(p, struct rfcomm_session, list);
1961
9e726b17
LAD		 1962 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1963 s->state = BT_DISCONN;
1964 rfcomm_send_disc(s, 0);
485f1eff 1965 rfcomm_session_put(s);
9e726b17
LAD		 1966 continue;
1967 }
1968
1da177e4
LT		 1969 if (s->state == BT_LISTEN) {
1970 rfcomm_accept_connection(s);
1971 continue;
1972 }
1973
1974 rfcomm_session_hold(s);
1975
1976 switch (s->state) {
1977 case BT_BOUND:
1978 rfcomm_check_connection(s);
1979 break;
1980
1981 default:
1982 rfcomm_process_rx(s);
1983 break;
1984 }
1985
1986 rfcomm_process_dlcs(s);
1987
1988 rfcomm_session_put(s);
1989 }
1990
1991 rfcomm_unlock();
1992}
1993
1da177e4
LT		 1994static int rfcomm_add_listener(bdaddr_t *ba)
1995{
1996 struct sockaddr_l2 addr;
1997 struct socket *sock;
1998 struct sock *sk;
1999 struct rfcomm_session *s;
2000 int err = 0;
2001
2002 /* Create socket */
2003 err = rfcomm_l2sock_create(&sock);
8e87d142 2004 if (err < 0) {
1da177e4
LT		 2005 BT_ERR("Create socket failed %d", err);
2006 return err;
2007 }
2008
2009 /* Bind socket */
2010 bacpy(&addr.l2_bdaddr, ba);
2011 addr.l2_family = AF_BLUETOOTH;
5bcb8094 2012 addr.l2_psm = __constant_cpu_to_le16(RFCOMM_PSM);
37e62f55 2013 addr.l2_cid = 0;
48db9ca4 2014 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1da177e4
LT		 2015 if (err < 0) {
2016 BT_ERR("Bind failed %d", err);
2017 goto failed;
2018 }
2019
2020 /* Set L2CAP options */
2021 sk = sock->sk;
2022 lock_sock(sk);
0c1bc5c6 2023 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
1da177e4
LT		 2024 release_sock(sk);
2025
2026 /* Start listening on the socket */
48db9ca4 2027 err = kernel_listen(sock, 10);
1da177e4
LT		 2028 if (err) {
2029 BT_ERR("Listen failed %d", err);
2030 goto failed;
2031 }
2032
2033 /* Add listening session */
2034 s = rfcomm_session_add(sock, BT_LISTEN);
2035 if (!s)
2036 goto failed;
2037
2038 rfcomm_session_hold(s);
2039 return 0;
2040failed:
2041 sock_release(sock);
2042 return err;
2043}
2044
2045static void rfcomm_kill_listener(void)
2046{
2047 struct rfcomm_session *s;
2048 struct list_head *p, *n;
2049
2050 BT_DBG("");
2051
2052 list_for_each_safe(p, n, &session_list) {
2053 s = list_entry(p, struct rfcomm_session, list);
2054 rfcomm_session_del(s);
2055 }
2056}
2057
2058static int rfcomm_run(void *unused)
2059{
a524eccc 2060 BT_DBG("");
1da177e4 2061
1da177e4 2062 set_user_nice(current, -10);
1da177e4 2063
1da177e4
LT		 2064 rfcomm_add_listener(BDADDR_ANY);
2065
e5842cdb 2066 while (1) {
a524eccc 2067 set_current_state(TASK_INTERRUPTIBLE);
e5842cdb
PH		 2068
2069 if (kthread_should_stop())
2070 break;
a524eccc
MH		 2071
2072 /* Process stuff */
a524eccc 2073 rfcomm_process_sessions();
e5842cdb
PH		 2074
2075 schedule();
a524eccc 2076 }
e5842cdb 2077 __set_current_state(TASK_RUNNING);
1da177e4
LT		 2078
2079 rfcomm_kill_listener();
2080
1da177e4
LT		 2081 return 0;
2082}
2083
8c1b2355 2084static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
1da177e4
LT		 2085{
2086 struct rfcomm_session *s;
2087 struct rfcomm_dlc *d;
2088 struct list_head *p, *n;
2089
2090 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2091
2092 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2093 if (!s)
2094 return;
2095
2096 rfcomm_session_hold(s);
2097
2098 list_for_each_safe(p, n, &s->dlcs) {
2099 d = list_entry(p, struct rfcomm_dlc, list);
2100
8c84b830
MH		 2101 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2102 rfcomm_dlc_clear_timer(d);
2103 if (status || encrypt == 0x00) {
db54467a 2104 set_bit(RFCOMM_ENC_DROP, &d->flags);
8c84b830
MH		 2105 continue;
2106 }
2107 }
2108
2109 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2110 if (d->sec_level == BT_SECURITY_MEDIUM) {
2111 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2112 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2113 continue;
2114 } else if (d->sec_level == BT_SECURITY_HIGH) {
db54467a 2115 set_bit(RFCOMM_ENC_DROP, &d->flags);
8c84b830
MH		 2116 continue;
2117 }
9719f8af
MH		 2118 }
2119
1da177e4
LT		 2120 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2121 continue;
2122
b3b1b061 2123 if (!status && hci_conn_check_secure(conn, d->sec_level))
1da177e4
LT		 2124 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2125 else
2126 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2127 }
2128
2129 rfcomm_session_put(s);
2130
534c92fd 2131 rfcomm_schedule();
1da177e4
LT		 2132}
2133
2134static struct hci_cb rfcomm_cb = {
2135 .name = "RFCOMM",
8c1b2355 2136 .security_cfm = rfcomm_security_cfm
1da177e4
LT		 2137};
2138
aef7d97c 2139static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
1da177e4
LT		 2140{
2141 struct rfcomm_session *s;
1da177e4
LT		 2142
2143 rfcomm_lock();
2144
8035ded4
LAD		 2145 list_for_each_entry(s, &session_list, list) {
2146 struct rfcomm_dlc *d;
2147 list_for_each_entry(d, &s->dlcs, list) {
be9d1227 2148 struct sock *sk = s->sock->sk;
1da177e4 2149
fcb73338
AE		 2150 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2151 &bt_sk(sk)->src, &bt_sk(sk)->dst,
2152 d->state, d->dlci, d->mtu,
2153 d->rx_credits, d->tx_credits);
1da177e4
LT		 2154 }
2155 }
1da177e4 2156
1da177e4 2157 rfcomm_unlock();
1da177e4 2158
aef7d97c
MH		 2159 return 0;
2160}
2161
2162static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2163{
2164 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
1da177e4
LT		 2165}
2166
aef7d97c
MH		 2167static const struct file_operations rfcomm_dlc_debugfs_fops = {
2168 .open = rfcomm_dlc_debugfs_open,
2169 .read = seq_read,
2170 .llseek = seq_lseek,
2171 .release = single_release,
2172};
2173
2174static struct dentry *rfcomm_dlc_debugfs;
1da177e4
LT		 2175
2176/* ---- Initialization ---- */
2177static int __init rfcomm_init(void)
2178{
52d18347 2179 int err;
af0d3b10 2180
1da177e4
LT		 2181 hci_register_cb(&rfcomm_cb);
2182
a524eccc
MH		 2183 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2184 if (IS_ERR(rfcomm_thread)) {
52d18347
MH		 2185 err = PTR_ERR(rfcomm_thread);
2186 goto unregister;
a524eccc 2187 }
1da177e4 2188
aef7d97c
MH		 2189 if (bt_debugfs) {
2190 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2191 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2192 if (!rfcomm_dlc_debugfs)
2193 BT_ERR("Failed to create RFCOMM debug file");
2194 }
1da177e4 2195
52d18347
MH		 2196 err = rfcomm_init_ttys();
2197 if (err < 0)
2198 goto stop;
1da177e4 2199
52d18347
MH		 2200 err = rfcomm_init_sockets();
2201 if (err < 0)
2202 goto cleanup;
1da177e4 2203
be9d1227
MH		 2204 BT_INFO("RFCOMM ver %s", VERSION);
2205
1da177e4 2206 return 0;
af0d3b10 2207
52d18347 2208cleanup:
af0d3b10 2209 rfcomm_cleanup_ttys();
52d18347
MH		 2210
2211stop:
af0d3b10 2212 kthread_stop(rfcomm_thread);
52d18347
MH		 2213
2214unregister:
af0d3b10
DY		 2215 hci_unregister_cb(&rfcomm_cb);
2216
52d18347 2217 return err;
1da177e4
LT		 2218}
2219
2220static void __exit rfcomm_exit(void)
2221{
aef7d97c 2222 debugfs_remove(rfcomm_dlc_debugfs);
be9d1227 2223
1da177e4
LT		 2224 hci_unregister_cb(&rfcomm_cb);
2225
a524eccc 2226 kthread_stop(rfcomm_thread);
1da177e4 2227
1da177e4 2228 rfcomm_cleanup_ttys();
1da177e4
LT		 2229
2230 rfcomm_cleanup_sockets();
1da177e4
LT		 2231}
2232
2233module_init(rfcomm_init);
2234module_exit(rfcomm_exit);
2235
7c2660b0
MH		 2236module_param(disable_cfc, bool, 0644);
2237MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2238
98bcd08b
MH		 2239module_param(channel_mtu, int, 0644);
2240MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2241
56f3a40a
MH		 2242module_param(l2cap_mtu, uint, 0644);
2243MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2244
eae38eed
MH		 2245module_param(l2cap_ertm, bool, 0644);
2246MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2247
63fbd24e 2248MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 2249MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2250MODULE_VERSION(VERSION);
2251MODULE_LICENSE("GPL");
2252MODULE_ALIAS("bt-proto-3");
kernel source for telekom puls (alcatel/mediatek)