1/*
2   RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3   Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4   Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6   This program is free software; you can redistribute it and/or modify
7   it under the terms of the GNU General Public License version 2 as
8   published by the Free Software Foundation;
9
10   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21   SOFTWARE IS DISCLAIMED.
22*/
23
24/*
25 * Bluetooth RFCOMM core.
26 */
27
28#include <linux/module.h>
29#include <linux/debugfs.h>
30#include <linux/kthread.h>
31#include <asm/unaligned.h>
32
33#include <net/bluetooth/bluetooth.h>
34#include <net/bluetooth/hci_core.h>
35#include <net/bluetooth/l2cap.h>
36#include <net/bluetooth/rfcomm.h>
37
38#define VERSION "1.11"
39
40static bool disable_cfc;
41static bool l2cap_ertm;
42static int channel_mtu = -1;
43static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44
45static struct task_struct *rfcomm_thread;
46
47static DEFINE_MUTEX(rfcomm_mutex);
48#define rfcomm_lock()	mutex_lock(&rfcomm_mutex)
49#define rfcomm_unlock()	mutex_unlock(&rfcomm_mutex)
50
51
52static LIST_HEAD(session_list);
53
54static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
55static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64
65static void rfcomm_process_connect(struct rfcomm_session *s);
66
67static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68							bdaddr_t *dst,
69							u8 sec_level,
70							int *err);
71static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
72static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
73
74/* ---- RFCOMM frame parsing macros ---- */
75#define __get_dlci(b)     ((b & 0xfc) >> 2)
76#define __get_channel(b)  ((b & 0xf8) >> 3)
77#define __get_dir(b)      ((b & 0x04) >> 2)
78#define __get_type(b)     ((b & 0xef))
79
80#define __test_ea(b)      ((b & 0x01))
81#define __test_cr(b)      ((b & 0x02))
82#define __test_pf(b)      ((b & 0x10))
83
84#define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
85#define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
86#define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
87#define __srv_channel(dlci)    (dlci >> 1)
88#define __dir(dlci)            (dlci & 0x01)
89
90#define __len8(len)       (((len) << 1) | 1)
91#define __len16(len)      ((len) << 1)
92
93/* MCC macros */
94#define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
95#define __get_mcc_type(b) ((b & 0xfc) >> 2)
96#define __get_mcc_len(b)  ((b & 0xfe) >> 1)
97
98/* RPN macros */
99#define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
100#define __get_rpn_data_bits(line) ((line) & 0x3)
101#define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
102#define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
103
104static void rfcomm_schedule(void)
105{
106	if (!rfcomm_thread)
107		return;
108	wake_up_process(rfcomm_thread);
109}
110
111/* ---- RFCOMM FCS computation ---- */
112
113/* reversed, 8-bit, poly=0x07 */
114static unsigned char rfcomm_crc_table[256] = {
115	0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
116	0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
117	0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
118	0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
119
120	0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
121	0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
122	0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
123	0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
124
125	0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
126	0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
127	0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
128	0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
129
130	0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
131	0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
132	0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
133	0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
134
135	0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
136	0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
137	0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
138	0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
139
140	0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
141	0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
142	0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
143	0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
144
145	0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
146	0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
147	0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
148	0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
149
150	0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
151	0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
152	0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
153	0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
154};
155
156/* CRC on 2 bytes */
157#define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
158
159/* FCS on 2 bytes */
160static inline u8 __fcs(u8 *data)
161{
162	return 0xff - __crc(data);
163}
164
165/* FCS on 3 bytes */
166static inline u8 __fcs2(u8 *data)
167{
168	return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
169}
170
171/* Check FCS */
172static inline int __check_fcs(u8 *data, int type, u8 fcs)
173{
174	u8 f = __crc(data);
175
176	if (type != RFCOMM_UIH)
177		f = rfcomm_crc_table[f ^ data[2]];
178
179	return rfcomm_crc_table[f ^ fcs] != 0xcf;
180}
181
182/* ---- L2CAP callbacks ---- */
183static void rfcomm_l2state_change(struct sock *sk)
184{
185	BT_DBG("%p state %d", sk, sk->sk_state);
186	rfcomm_schedule();
187}
188
189static void rfcomm_l2data_ready(struct sock *sk)
190{
191	BT_DBG("%p", sk);
192	rfcomm_schedule();
193}
194
195static int rfcomm_l2sock_create(struct socket **sock)
196{
197	int err;
198
199	BT_DBG("");
200
201	err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
202	if (!err) {
203		struct sock *sk = (*sock)->sk;
204		sk->sk_data_ready   = rfcomm_l2data_ready;
205		sk->sk_state_change = rfcomm_l2state_change;
206	}
207	return err;
208}
209
210static int rfcomm_check_security(struct rfcomm_dlc *d)
211{
212	struct sock *sk = d->session->sock->sk;
213	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
214
215	__u8 auth_type;
216
217	switch (d->sec_level) {
218	case BT_SECURITY_HIGH:
219	case BT_SECURITY_FIPS:
220		auth_type = HCI_AT_GENERAL_BONDING_MITM;
221		break;
222	case BT_SECURITY_MEDIUM:
223		auth_type = HCI_AT_GENERAL_BONDING;
224		break;
225	default:
226		auth_type = HCI_AT_NO_BONDING;
227		break;
228	}
229
230	return hci_conn_security(conn->hcon, d->sec_level, auth_type,
231				 d->out);
232}
233
234static void rfcomm_session_timeout(unsigned long arg)
235{
236	struct rfcomm_session *s = (void *) arg;
237
238	BT_DBG("session %p state %ld", s, s->state);
239
240	set_bit(RFCOMM_TIMED_OUT, &s->flags);
241	rfcomm_schedule();
242}
243
244static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
245{
246	BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
247
248	mod_timer(&s->timer, jiffies + timeout);
249}
250
251static void rfcomm_session_clear_timer(struct rfcomm_session *s)
252{
253	BT_DBG("session %p state %ld", s, s->state);
254
255	del_timer_sync(&s->timer);
256}
257
258/* ---- RFCOMM DLCs ---- */
259static void rfcomm_dlc_timeout(unsigned long arg)
260{
261	struct rfcomm_dlc *d = (void *) arg;
262
263	BT_DBG("dlc %p state %ld", d, d->state);
264
265	set_bit(RFCOMM_TIMED_OUT, &d->flags);
266	rfcomm_dlc_put(d);
267	rfcomm_schedule();
268}
269
270static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
271{
272	BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
273
274	if (!mod_timer(&d->timer, jiffies + timeout))
275		rfcomm_dlc_hold(d);
276}
277
278static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
279{
280	BT_DBG("dlc %p state %ld", d, d->state);
281
282	if (del_timer(&d->timer))
283		rfcomm_dlc_put(d);
284}
285
286static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
287{
288	BT_DBG("%p", d);
289
290	d->state      = BT_OPEN;
291	d->flags      = 0;
292	d->mscex      = 0;
293	d->sec_level  = BT_SECURITY_LOW;
294	d->mtu        = RFCOMM_DEFAULT_MTU;
295	d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
296
297	d->cfc        = RFCOMM_CFC_DISABLED;
298	d->rx_credits = RFCOMM_DEFAULT_CREDITS;
299}
300
301struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
302{
303	struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
304
305	if (!d)
306		return NULL;
307
308	setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
309
310	skb_queue_head_init(&d->tx_queue);
311	mutex_init(&d->lock);
312	atomic_set(&d->refcnt, 1);
313
314	rfcomm_dlc_clear_state(d);
315
316	BT_DBG("%p", d);
317
318	return d;
319}
320
321void rfcomm_dlc_free(struct rfcomm_dlc *d)
322{
323	BT_DBG("%p", d);
324
325	skb_queue_purge(&d->tx_queue);
326	kfree(d);
327}
328
329static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
330{
331	BT_DBG("dlc %p session %p", d, s);
332
333	rfcomm_session_clear_timer(s);
334	rfcomm_dlc_hold(d);
335	list_add(&d->list, &s->dlcs);
336	d->session = s;
337}
338
339static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
340{
341	struct rfcomm_session *s = d->session;
342
343	BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
344
345	list_del(&d->list);
346	d->session = NULL;
347	rfcomm_dlc_put(d);
348
349	if (list_empty(&s->dlcs))
350		rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
351}
352
353static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
354{
355	struct rfcomm_dlc *d;
356
357	list_for_each_entry(d, &s->dlcs, list)
358		if (d->dlci == dlci)
359			return d;
360
361	return NULL;
362}
363
364static int rfcomm_check_channel(u8 channel)
365{
366	return channel < 1 || channel > 30;
367}
368
369static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
370{
371	struct rfcomm_session *s;
372	int err = 0;
373	u8 dlci;
374
375	BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
376	       d, d->state, src, dst, channel);
377
378	if (rfcomm_check_channel(channel))
379		return -EINVAL;
380
381	if (d->state != BT_OPEN && d->state != BT_CLOSED)
382		return 0;
383
384	s = rfcomm_session_get(src, dst);
385	if (!s) {
386		s = rfcomm_session_create(src, dst, d->sec_level, &err);
387		if (!s)
388			return err;
389	}
390
391	dlci = __dlci(!s->initiator, channel);
392
393	/* Check if DLCI already exists */
394	if (rfcomm_dlc_get(s, dlci))
395		return -EBUSY;
396
397	rfcomm_dlc_clear_state(d);
398
399	d->dlci     = dlci;
400	d->addr     = __addr(s->initiator, dlci);
401	d->priority = 7;
402
403	d->state = BT_CONFIG;
404	rfcomm_dlc_link(s, d);
405
406	d->out = 1;
407
408	d->mtu = s->mtu;
409	d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
410
411	if (s->state == BT_CONNECTED) {
412		if (rfcomm_check_security(d))
413			rfcomm_send_pn(s, 1, d);
414		else
415			set_bit(RFCOMM_AUTH_PENDING, &d->flags);
416	}
417
418	rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
419
420	return 0;
421}
422
423int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
424{
425	int r;
426
427	rfcomm_lock();
428
429	r = __rfcomm_dlc_open(d, src, dst, channel);
430
431	rfcomm_unlock();
432	return r;
433}
434
435static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d)
436{
437	struct rfcomm_session *s = d->session;
438
439	d->state = BT_DISCONN;
440	if (skb_queue_empty(&d->tx_queue)) {
441		rfcomm_send_disc(s, d->dlci);
442		rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
443	} else {
444		rfcomm_queue_disc(d);
445		rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
446	}
447}
448
449static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
450{
451	struct rfcomm_session *s = d->session;
452	if (!s)
453		return 0;
454
455	BT_DBG("dlc %p state %ld dlci %d err %d session %p",
456			d, d->state, d->dlci, err, s);
457
458	switch (d->state) {
459	case BT_CONNECT:
460	case BT_CONFIG:
461	case BT_OPEN:
462	case BT_CONNECT2:
463		if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
464			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
465			rfcomm_schedule();
466			return 0;
467		}
468	}
469
470	switch (d->state) {
471	case BT_CONNECT:
472	case BT_CONNECTED:
473		__rfcomm_dlc_disconn(d);
474		break;
475
476	case BT_CONFIG:
477		if (s->state != BT_BOUND) {
478			__rfcomm_dlc_disconn(d);
479			break;
480		}
481		/* if closing a dlc in a session that hasn't been started,
482		 * just close and unlink the dlc
483		 */
484
485	default:
486		rfcomm_dlc_clear_timer(d);
487
488		rfcomm_dlc_lock(d);
489		d->state = BT_CLOSED;
490		d->state_change(d, err);
491		rfcomm_dlc_unlock(d);
492
493		skb_queue_purge(&d->tx_queue);
494		rfcomm_dlc_unlink(d);
495	}
496
497	return 0;
498}
499
500int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
501{
502	int r = 0;
503	struct rfcomm_dlc *d_list;
504	struct rfcomm_session *s, *s_list;
505
506	BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
507
508	rfcomm_lock();
509
510	s = d->session;
511	if (!s)
512		goto no_session;
513
514	/* after waiting on the mutex check the session still exists
515	 * then check the dlc still exists
516	 */
517	list_for_each_entry(s_list, &session_list, list) {
518		if (s_list == s) {
519			list_for_each_entry(d_list, &s->dlcs, list) {
520				if (d_list == d) {
521					r = __rfcomm_dlc_close(d, err);
522					break;
523				}
524			}
525			break;
526		}
527	}
528
529no_session:
530	rfcomm_unlock();
531	return r;
532}
533
534struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
535{
536	struct rfcomm_session *s;
537	struct rfcomm_dlc *dlc = NULL;
538	u8 dlci;
539
540	if (rfcomm_check_channel(channel))
541		return ERR_PTR(-EINVAL);
542
543	rfcomm_lock();
544	s = rfcomm_session_get(src, dst);
545	if (s) {
546		dlci = __dlci(!s->initiator, channel);
547		dlc = rfcomm_dlc_get(s, dlci);
548	}
549	rfcomm_unlock();
550	return dlc;
551}
552
553int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
554{
555	int len = skb->len;
556
557	if (d->state != BT_CONNECTED)
558		return -ENOTCONN;
559
560	BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
561
562	if (len > d->mtu)
563		return -EINVAL;
564
565	rfcomm_make_uih(skb, d->addr);
566	skb_queue_tail(&d->tx_queue, skb);
567
568	if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
569		rfcomm_schedule();
570	return len;
571}
572
573void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb)
574{
575	int len = skb->len;
576
577	BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
578
579	rfcomm_make_uih(skb, d->addr);
580	skb_queue_tail(&d->tx_queue, skb);
581
582	if (d->state == BT_CONNECTED &&
583	    !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
584		rfcomm_schedule();
585}
586
587void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
588{
589	BT_DBG("dlc %p state %ld", d, d->state);
590
591	if (!d->cfc) {
592		d->v24_sig |= RFCOMM_V24_FC;
593		set_bit(RFCOMM_MSC_PENDING, &d->flags);
594	}
595	rfcomm_schedule();
596}
597
598void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
599{
600	BT_DBG("dlc %p state %ld", d, d->state);
601
602	if (!d->cfc) {
603		d->v24_sig &= ~RFCOMM_V24_FC;
604		set_bit(RFCOMM_MSC_PENDING, &d->flags);
605	}
606	rfcomm_schedule();
607}
608
609/*
610   Set/get modem status functions use _local_ status i.e. what we report
611   to the other side.
612   Remote status is provided by dlc->modem_status() callback.
613 */
614int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
615{
616	BT_DBG("dlc %p state %ld v24_sig 0x%x",
617			d, d->state, v24_sig);
618
619	if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
620		v24_sig |= RFCOMM_V24_FC;
621	else
622		v24_sig &= ~RFCOMM_V24_FC;
623
624	d->v24_sig = v24_sig;
625
626	if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
627		rfcomm_schedule();
628
629	return 0;
630}
631
632int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
633{
634	BT_DBG("dlc %p state %ld v24_sig 0x%x",
635			d, d->state, d->v24_sig);
636
637	*v24_sig = d->v24_sig;
638	return 0;
639}
640
641/* ---- RFCOMM sessions ---- */
642static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
643{
644	struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
645
646	if (!s)
647		return NULL;
648
649	BT_DBG("session %p sock %p", s, sock);
650
651	setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
652
653	INIT_LIST_HEAD(&s->dlcs);
654	s->state = state;
655	s->sock  = sock;
656
657	s->mtu = RFCOMM_DEFAULT_MTU;
658	s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
659
660	/* Do not increment module usage count for listening sessions.
661	 * Otherwise we won't be able to unload the module. */
662	if (state != BT_LISTEN)
663		if (!try_module_get(THIS_MODULE)) {
664			kfree(s);
665			return NULL;
666		}
667
668	list_add(&s->list, &session_list);
669
670	return s;
671}
672
673static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
674{
675	int state = s->state;
676
677	BT_DBG("session %p state %ld", s, s->state);
678
679	list_del(&s->list);
680
681	rfcomm_session_clear_timer(s);
682	sock_release(s->sock);
683	kfree(s);
684
685	if (state != BT_LISTEN)
686		module_put(THIS_MODULE);
687
688	return NULL;
689}
690
691static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
692{
693	struct rfcomm_session *s;
694	struct list_head *p, *n;
695	struct l2cap_chan *chan;
696	list_for_each_safe(p, n, &session_list) {
697		s = list_entry(p, struct rfcomm_session, list);
698		chan = l2cap_pi(s->sock->sk)->chan;
699
700		if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) &&
701		    !bacmp(&chan->dst, dst))
702			return s;
703	}
704	return NULL;
705}
706
707static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
708						   int err)
709{
710	struct rfcomm_dlc *d;
711	struct list_head *p, *n;
712
713	s->state = BT_CLOSED;
714
715	BT_DBG("session %p state %ld err %d", s, s->state, err);
716
717	/* Close all dlcs */
718	list_for_each_safe(p, n, &s->dlcs) {
719		d = list_entry(p, struct rfcomm_dlc, list);
720		d->state = BT_CLOSED;
721		__rfcomm_dlc_close(d, err);
722	}
723
724	rfcomm_session_clear_timer(s);
725	return rfcomm_session_del(s);
726}
727
728static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
729							bdaddr_t *dst,
730							u8 sec_level,
731							int *err)
732{
733	struct rfcomm_session *s = NULL;
734	struct sockaddr_l2 addr;
735	struct socket *sock;
736	struct sock *sk;
737
738	BT_DBG("%pMR -> %pMR", src, dst);
739
740	*err = rfcomm_l2sock_create(&sock);
741	if (*err < 0)
742		return NULL;
743
744	bacpy(&addr.l2_bdaddr, src);
745	addr.l2_family = AF_BLUETOOTH;
746	addr.l2_psm    = 0;
747	addr.l2_cid    = 0;
748	addr.l2_bdaddr_type = BDADDR_BREDR;
749	*err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
750	if (*err < 0)
751		goto failed;
752
753	/* Set L2CAP options */
754	sk = sock->sk;
755	lock_sock(sk);
756	l2cap_pi(sk)->chan->imtu = l2cap_mtu;
757	l2cap_pi(sk)->chan->sec_level = sec_level;
758	if (l2cap_ertm)
759		l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
760	release_sock(sk);
761
762	s = rfcomm_session_add(sock, BT_BOUND);
763	if (!s) {
764		*err = -ENOMEM;
765		goto failed;
766	}
767
768	s->initiator = 1;
769
770	bacpy(&addr.l2_bdaddr, dst);
771	addr.l2_family = AF_BLUETOOTH;
772	addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
773	addr.l2_cid    = 0;
774	addr.l2_bdaddr_type = BDADDR_BREDR;
775	*err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
776	if (*err == 0 || *err == -EINPROGRESS)
777		return s;
778
779	return rfcomm_session_del(s);
780
781failed:
782	sock_release(sock);
783	return NULL;
784}
785
786void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
787{
788	struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
789	if (src)
790		bacpy(src, &chan->src);
791	if (dst)
792		bacpy(dst, &chan->dst);
793}
794
795/* ---- RFCOMM frame sending ---- */
796static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
797{
798	struct kvec iv = { data, len };
799	struct msghdr msg;
800
801	BT_DBG("session %p len %d", s, len);
802
803	memset(&msg, 0, sizeof(msg));
804
805	return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
806}
807
808static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
809{
810	BT_DBG("%p cmd %u", s, cmd->ctrl);
811
812	return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
813}
814
815static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
816{
817	struct rfcomm_cmd cmd;
818
819	BT_DBG("%p dlci %d", s, dlci);
820
821	cmd.addr = __addr(s->initiator, dlci);
822	cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
823	cmd.len  = __len8(0);
824	cmd.fcs  = __fcs2((u8 *) &cmd);
825
826	return rfcomm_send_cmd(s, &cmd);
827}
828
829static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
830{
831	struct rfcomm_cmd cmd;
832
833	BT_DBG("%p dlci %d", s, dlci);
834
835	cmd.addr = __addr(!s->initiator, dlci);
836	cmd.ctrl = __ctrl(RFCOMM_UA, 1);
837	cmd.len  = __len8(0);
838	cmd.fcs  = __fcs2((u8 *) &cmd);
839
840	return rfcomm_send_cmd(s, &cmd);
841}
842
843static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
844{
845	struct rfcomm_cmd cmd;
846
847	BT_DBG("%p dlci %d", s, dlci);
848
849	cmd.addr = __addr(s->initiator, dlci);
850	cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
851	cmd.len  = __len8(0);
852	cmd.fcs  = __fcs2((u8 *) &cmd);
853
854	return rfcomm_send_cmd(s, &cmd);
855}
856
857static int rfcomm_queue_disc(struct rfcomm_dlc *d)
858{
859	struct rfcomm_cmd *cmd;
860	struct sk_buff *skb;
861
862	BT_DBG("dlc %p dlci %d", d, d->dlci);
863
864	skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
865	if (!skb)
866		return -ENOMEM;
867
868	cmd = (void *) __skb_put(skb, sizeof(*cmd));
869	cmd->addr = d->addr;
870	cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
871	cmd->len  = __len8(0);
872	cmd->fcs  = __fcs2((u8 *) cmd);
873
874	skb_queue_tail(&d->tx_queue, skb);
875	rfcomm_schedule();
876	return 0;
877}
878
879static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
880{
881	struct rfcomm_cmd cmd;
882
883	BT_DBG("%p dlci %d", s, dlci);
884
885	cmd.addr = __addr(!s->initiator, dlci);
886	cmd.ctrl = __ctrl(RFCOMM_DM, 1);
887	cmd.len  = __len8(0);
888	cmd.fcs  = __fcs2((u8 *) &cmd);
889
890	return rfcomm_send_cmd(s, &cmd);
891}
892
893static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
894{
895	struct rfcomm_hdr *hdr;
896	struct rfcomm_mcc *mcc;
897	u8 buf[16], *ptr = buf;
898
899	BT_DBG("%p cr %d type %d", s, cr, type);
900
901	hdr = (void *) ptr; ptr += sizeof(*hdr);
902	hdr->addr = __addr(s->initiator, 0);
903	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
904	hdr->len  = __len8(sizeof(*mcc) + 1);
905
906	mcc = (void *) ptr; ptr += sizeof(*mcc);
907	mcc->type = __mcc_type(cr, RFCOMM_NSC);
908	mcc->len  = __len8(1);
909
910	/* Type that we didn't like */
911	*ptr = __mcc_type(cr, type); ptr++;
912
913	*ptr = __fcs(buf); ptr++;
914
915	return rfcomm_send_frame(s, buf, ptr - buf);
916}
917
918static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
919{
920	struct rfcomm_hdr *hdr;
921	struct rfcomm_mcc *mcc;
922	struct rfcomm_pn  *pn;
923	u8 buf[16], *ptr = buf;
924
925	BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
926
927	hdr = (void *) ptr; ptr += sizeof(*hdr);
928	hdr->addr = __addr(s->initiator, 0);
929	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
930	hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
931
932	mcc = (void *) ptr; ptr += sizeof(*mcc);
933	mcc->type = __mcc_type(cr, RFCOMM_PN);
934	mcc->len  = __len8(sizeof(*pn));
935
936	pn = (void *) ptr; ptr += sizeof(*pn);
937	pn->dlci        = d->dlci;
938	pn->priority    = d->priority;
939	pn->ack_timer   = 0;
940	pn->max_retrans = 0;
941
942	if (s->cfc) {
943		pn->flow_ctrl = cr ? 0xf0 : 0xe0;
944		pn->credits = RFCOMM_DEFAULT_CREDITS;
945	} else {
946		pn->flow_ctrl = 0;
947		pn->credits   = 0;
948	}
949
950	if (cr && channel_mtu >= 0)
951		pn->mtu = cpu_to_le16(channel_mtu);
952	else
953		pn->mtu = cpu_to_le16(d->mtu);
954
955	*ptr = __fcs(buf); ptr++;
956
957	return rfcomm_send_frame(s, buf, ptr - buf);
958}
959
960int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
961			u8 bit_rate, u8 data_bits, u8 stop_bits,
962			u8 parity, u8 flow_ctrl_settings,
963			u8 xon_char, u8 xoff_char, u16 param_mask)
964{
965	struct rfcomm_hdr *hdr;
966	struct rfcomm_mcc *mcc;
967	struct rfcomm_rpn *rpn;
968	u8 buf[16], *ptr = buf;
969
970	BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
971			" flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
972		s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
973		flow_ctrl_settings, xon_char, xoff_char, param_mask);
974
975	hdr = (void *) ptr; ptr += sizeof(*hdr);
976	hdr->addr = __addr(s->initiator, 0);
977	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
978	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
979
980	mcc = (void *) ptr; ptr += sizeof(*mcc);
981	mcc->type = __mcc_type(cr, RFCOMM_RPN);
982	mcc->len  = __len8(sizeof(*rpn));
983
984	rpn = (void *) ptr; ptr += sizeof(*rpn);
985	rpn->dlci          = __addr(1, dlci);
986	rpn->bit_rate      = bit_rate;
987	rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
988	rpn->flow_ctrl     = flow_ctrl_settings;
989	rpn->xon_char      = xon_char;
990	rpn->xoff_char     = xoff_char;
991	rpn->param_mask    = cpu_to_le16(param_mask);
992
993	*ptr = __fcs(buf); ptr++;
994
995	return rfcomm_send_frame(s, buf, ptr - buf);
996}
997
998static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
999{
1000	struct rfcomm_hdr *hdr;
1001	struct rfcomm_mcc *mcc;
1002	struct rfcomm_rls *rls;
1003	u8 buf[16], *ptr = buf;
1004
1005	BT_DBG("%p cr %d status 0x%x", s, cr, status);
1006
1007	hdr = (void *) ptr; ptr += sizeof(*hdr);
1008	hdr->addr = __addr(s->initiator, 0);
1009	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1010	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
1011
1012	mcc = (void *) ptr; ptr += sizeof(*mcc);
1013	mcc->type = __mcc_type(cr, RFCOMM_RLS);
1014	mcc->len  = __len8(sizeof(*rls));
1015
1016	rls = (void *) ptr; ptr += sizeof(*rls);
1017	rls->dlci   = __addr(1, dlci);
1018	rls->status = status;
1019
1020	*ptr = __fcs(buf); ptr++;
1021
1022	return rfcomm_send_frame(s, buf, ptr - buf);
1023}
1024
1025static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
1026{
1027	struct rfcomm_hdr *hdr;
1028	struct rfcomm_mcc *mcc;
1029	struct rfcomm_msc *msc;
1030	u8 buf[16], *ptr = buf;
1031
1032	BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
1033
1034	hdr = (void *) ptr; ptr += sizeof(*hdr);
1035	hdr->addr = __addr(s->initiator, 0);
1036	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1037	hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
1038
1039	mcc = (void *) ptr; ptr += sizeof(*mcc);
1040	mcc->type = __mcc_type(cr, RFCOMM_MSC);
1041	mcc->len  = __len8(sizeof(*msc));
1042
1043	msc = (void *) ptr; ptr += sizeof(*msc);
1044	msc->dlci    = __addr(1, dlci);
1045	msc->v24_sig = v24_sig | 0x01;
1046
1047	*ptr = __fcs(buf); ptr++;
1048
1049	return rfcomm_send_frame(s, buf, ptr - buf);
1050}
1051
1052static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1053{
1054	struct rfcomm_hdr *hdr;
1055	struct rfcomm_mcc *mcc;
1056	u8 buf[16], *ptr = buf;
1057
1058	BT_DBG("%p cr %d", s, cr);
1059
1060	hdr = (void *) ptr; ptr += sizeof(*hdr);
1061	hdr->addr = __addr(s->initiator, 0);
1062	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1063	hdr->len  = __len8(sizeof(*mcc));
1064
1065	mcc = (void *) ptr; ptr += sizeof(*mcc);
1066	mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1067	mcc->len  = __len8(0);
1068
1069	*ptr = __fcs(buf); ptr++;
1070
1071	return rfcomm_send_frame(s, buf, ptr - buf);
1072}
1073
1074static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1075{
1076	struct rfcomm_hdr *hdr;
1077	struct rfcomm_mcc *mcc;
1078	u8 buf[16], *ptr = buf;
1079
1080	BT_DBG("%p cr %d", s, cr);
1081
1082	hdr = (void *) ptr; ptr += sizeof(*hdr);
1083	hdr->addr = __addr(s->initiator, 0);
1084	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1085	hdr->len  = __len8(sizeof(*mcc));
1086
1087	mcc = (void *) ptr; ptr += sizeof(*mcc);
1088	mcc->type = __mcc_type(cr, RFCOMM_FCON);
1089	mcc->len  = __len8(0);
1090
1091	*ptr = __fcs(buf); ptr++;
1092
1093	return rfcomm_send_frame(s, buf, ptr - buf);
1094}
1095
1096static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1097{
1098	struct socket *sock = s->sock;
1099	struct kvec iv[3];
1100	struct msghdr msg;
1101	unsigned char hdr[5], crc[1];
1102
1103	if (len > 125)
1104		return -EINVAL;
1105
1106	BT_DBG("%p cr %d", s, cr);
1107
1108	hdr[0] = __addr(s->initiator, 0);
1109	hdr[1] = __ctrl(RFCOMM_UIH, 0);
1110	hdr[2] = 0x01 | ((len + 2) << 1);
1111	hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1112	hdr[4] = 0x01 | (len << 1);
1113
1114	crc[0] = __fcs(hdr);
1115
1116	iv[0].iov_base = hdr;
1117	iv[0].iov_len  = 5;
1118	iv[1].iov_base = pattern;
1119	iv[1].iov_len  = len;
1120	iv[2].iov_base = crc;
1121	iv[2].iov_len  = 1;
1122
1123	memset(&msg, 0, sizeof(msg));
1124
1125	return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1126}
1127
1128static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1129{
1130	struct rfcomm_hdr *hdr;
1131	u8 buf[16], *ptr = buf;
1132
1133	BT_DBG("%p addr %d credits %d", s, addr, credits);
1134
1135	hdr = (void *) ptr; ptr += sizeof(*hdr);
1136	hdr->addr = addr;
1137	hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1138	hdr->len  = __len8(0);
1139
1140	*ptr = credits; ptr++;
1141
1142	*ptr = __fcs(buf); ptr++;
1143
1144	return rfcomm_send_frame(s, buf, ptr - buf);
1145}
1146
1147static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1148{
1149	struct rfcomm_hdr *hdr;
1150	int len = skb->len;
1151	u8 *crc;
1152
1153	if (len > 127) {
1154		hdr = (void *) skb_push(skb, 4);
1155		put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1156	} else {
1157		hdr = (void *) skb_push(skb, 3);
1158		hdr->len = __len8(len);
1159	}
1160	hdr->addr = addr;
1161	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1162
1163	crc = skb_put(skb, 1);
1164	*crc = __fcs((void *) hdr);
1165}
1166
1167/* ---- RFCOMM frame reception ---- */
1168static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1169{
1170	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1171
1172	if (dlci) {
1173		/* Data channel */
1174		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1175		if (!d) {
1176			rfcomm_send_dm(s, dlci);
1177			return s;
1178		}
1179
1180		switch (d->state) {
1181		case BT_CONNECT:
1182			rfcomm_dlc_clear_timer(d);
1183
1184			rfcomm_dlc_lock(d);
1185			d->state = BT_CONNECTED;
1186			d->state_change(d, 0);
1187			rfcomm_dlc_unlock(d);
1188
1189			rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1190			break;
1191
1192		case BT_DISCONN:
1193			d->state = BT_CLOSED;
1194			__rfcomm_dlc_close(d, 0);
1195
1196			if (list_empty(&s->dlcs)) {
1197				s->state = BT_DISCONN;
1198				rfcomm_send_disc(s, 0);
1199				rfcomm_session_clear_timer(s);
1200			}
1201
1202			break;
1203		}
1204	} else {
1205		/* Control channel */
1206		switch (s->state) {
1207		case BT_CONNECT:
1208			s->state = BT_CONNECTED;
1209			rfcomm_process_connect(s);
1210			break;
1211
1212		case BT_DISCONN:
1213			s = rfcomm_session_close(s, ECONNRESET);
1214			break;
1215		}
1216	}
1217	return s;
1218}
1219
1220static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1221{
1222	int err = 0;
1223
1224	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1225
1226	if (dlci) {
1227		/* Data DLC */
1228		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1229		if (d) {
1230			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1231				err = ECONNREFUSED;
1232			else
1233				err = ECONNRESET;
1234
1235			d->state = BT_CLOSED;
1236			__rfcomm_dlc_close(d, err);
1237		}
1238	} else {
1239		if (s->state == BT_CONNECT)
1240			err = ECONNREFUSED;
1241		else
1242			err = ECONNRESET;
1243
1244		s = rfcomm_session_close(s, err);
1245	}
1246	return s;
1247}
1248
1249static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1250					       u8 dlci)
1251{
1252	int err = 0;
1253
1254	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1255
1256	if (dlci) {
1257		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1258		if (d) {
1259			rfcomm_send_ua(s, dlci);
1260
1261			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1262				err = ECONNREFUSED;
1263			else
1264				err = ECONNRESET;
1265
1266			d->state = BT_CLOSED;
1267			__rfcomm_dlc_close(d, err);
1268		} else
1269			rfcomm_send_dm(s, dlci);
1270
1271	} else {
1272		rfcomm_send_ua(s, 0);
1273
1274		if (s->state == BT_CONNECT)
1275			err = ECONNREFUSED;
1276		else
1277			err = ECONNRESET;
1278
1279		s = rfcomm_session_close(s, err);
1280	}
1281	return s;
1282}
1283
1284void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1285{
1286	struct sock *sk = d->session->sock->sk;
1287	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1288
1289	BT_DBG("dlc %p", d);
1290
1291	rfcomm_send_ua(d->session, d->dlci);
1292
1293	rfcomm_dlc_clear_timer(d);
1294
1295	rfcomm_dlc_lock(d);
1296	d->state = BT_CONNECTED;
1297	d->state_change(d, 0);
1298	rfcomm_dlc_unlock(d);
1299
1300	if (d->role_switch)
1301		hci_conn_switch_role(conn->hcon, 0x00);
1302
1303	rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1304}
1305
1306static void rfcomm_check_accept(struct rfcomm_dlc *d)
1307{
1308	if (rfcomm_check_security(d)) {
1309		if (d->defer_setup) {
1310			set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1311			rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1312
1313			rfcomm_dlc_lock(d);
1314			d->state = BT_CONNECT2;
1315			d->state_change(d, 0);
1316			rfcomm_dlc_unlock(d);
1317		} else
1318			rfcomm_dlc_accept(d);
1319	} else {
1320		set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1321		rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1322	}
1323}
1324
1325static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1326{
1327	struct rfcomm_dlc *d;
1328	u8 channel;
1329
1330	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1331
1332	if (!dlci) {
1333		rfcomm_send_ua(s, 0);
1334
1335		if (s->state == BT_OPEN) {
1336			s->state = BT_CONNECTED;
1337			rfcomm_process_connect(s);
1338		}
1339		return 0;
1340	}
1341
1342	/* Check if DLC exists */
1343	d = rfcomm_dlc_get(s, dlci);
1344	if (d) {
1345		if (d->state == BT_OPEN) {
1346			/* DLC was previously opened by PN request */
1347			rfcomm_check_accept(d);
1348		}
1349		return 0;
1350	}
1351
1352	/* Notify socket layer about incoming connection */
1353	channel = __srv_channel(dlci);
1354	if (rfcomm_connect_ind(s, channel, &d)) {
1355		d->dlci = dlci;
1356		d->addr = __addr(s->initiator, dlci);
1357		rfcomm_dlc_link(s, d);
1358
1359		rfcomm_check_accept(d);
1360	} else {
1361		rfcomm_send_dm(s, dlci);
1362	}
1363
1364	return 0;
1365}
1366
1367static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1368{
1369	struct rfcomm_session *s = d->session;
1370
1371	BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1372			d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1373
1374	if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1375						pn->flow_ctrl == 0xe0) {
1376		d->cfc = RFCOMM_CFC_ENABLED;
1377		d->tx_credits = pn->credits;
1378	} else {
1379		d->cfc = RFCOMM_CFC_DISABLED;
1380		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1381	}
1382
1383	if (s->cfc == RFCOMM_CFC_UNKNOWN)
1384		s->cfc = d->cfc;
1385
1386	d->priority = pn->priority;
1387
1388	d->mtu = __le16_to_cpu(pn->mtu);
1389
1390	if (cr && d->mtu > s->mtu)
1391		d->mtu = s->mtu;
1392
1393	return 0;
1394}
1395
1396static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1397{
1398	struct rfcomm_pn *pn = (void *) skb->data;
1399	struct rfcomm_dlc *d;
1400	u8 dlci = pn->dlci;
1401
1402	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1403
1404	if (!dlci)
1405		return 0;
1406
1407	d = rfcomm_dlc_get(s, dlci);
1408	if (d) {
1409		if (cr) {
1410			/* PN request */
1411			rfcomm_apply_pn(d, cr, pn);
1412			rfcomm_send_pn(s, 0, d);
1413		} else {
1414			/* PN response */
1415			switch (d->state) {
1416			case BT_CONFIG:
1417				rfcomm_apply_pn(d, cr, pn);
1418
1419				d->state = BT_CONNECT;
1420				rfcomm_send_sabm(s, d->dlci);
1421				break;
1422			}
1423		}
1424	} else {
1425		u8 channel = __srv_channel(dlci);
1426
1427		if (!cr)
1428			return 0;
1429
1430		/* PN request for non existing DLC.
1431		 * Assume incoming connection. */
1432		if (rfcomm_connect_ind(s, channel, &d)) {
1433			d->dlci = dlci;
1434			d->addr = __addr(s->initiator, dlci);
1435			rfcomm_dlc_link(s, d);
1436
1437			rfcomm_apply_pn(d, cr, pn);
1438
1439			d->state = BT_OPEN;
1440			rfcomm_send_pn(s, 0, d);
1441		} else {
1442			rfcomm_send_dm(s, dlci);
1443		}
1444	}
1445	return 0;
1446}
1447
1448static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1449{
1450	struct rfcomm_rpn *rpn = (void *) skb->data;
1451	u8 dlci = __get_dlci(rpn->dlci);
1452
1453	u8 bit_rate  = 0;
1454	u8 data_bits = 0;
1455	u8 stop_bits = 0;
1456	u8 parity    = 0;
1457	u8 flow_ctrl = 0;
1458	u8 xon_char  = 0;
1459	u8 xoff_char = 0;
1460	u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1461
1462	BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1463		dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1464		rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1465
1466	if (!cr)
1467		return 0;
1468
1469	if (len == 1) {
1470		/* This is a request, return default (according to ETSI TS 07.10) settings */
1471		bit_rate  = RFCOMM_RPN_BR_9600;
1472		data_bits = RFCOMM_RPN_DATA_8;
1473		stop_bits = RFCOMM_RPN_STOP_1;
1474		parity    = RFCOMM_RPN_PARITY_NONE;
1475		flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1476		xon_char  = RFCOMM_RPN_XON_CHAR;
1477		xoff_char = RFCOMM_RPN_XOFF_CHAR;
1478		goto rpn_out;
1479	}
1480
1481	/* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1482	 * no parity, no flow control lines, normal XON/XOFF chars */
1483
1484	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1485		bit_rate = rpn->bit_rate;
1486		if (bit_rate > RFCOMM_RPN_BR_230400) {
1487			BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1488			bit_rate = RFCOMM_RPN_BR_9600;
1489			rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1490		}
1491	}
1492
1493	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1494		data_bits = __get_rpn_data_bits(rpn->line_settings);
1495		if (data_bits != RFCOMM_RPN_DATA_8) {
1496			BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1497			data_bits = RFCOMM_RPN_DATA_8;
1498			rpn_mask ^= RFCOMM_RPN_PM_DATA;
1499		}
1500	}
1501
1502	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1503		stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1504		if (stop_bits != RFCOMM_RPN_STOP_1) {
1505			BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1506			stop_bits = RFCOMM_RPN_STOP_1;
1507			rpn_mask ^= RFCOMM_RPN_PM_STOP;
1508		}
1509	}
1510
1511	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1512		parity = __get_rpn_parity(rpn->line_settings);
1513		if (parity != RFCOMM_RPN_PARITY_NONE) {
1514			BT_DBG("RPN parity mismatch 0x%x", parity);
1515			parity = RFCOMM_RPN_PARITY_NONE;
1516			rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1517		}
1518	}
1519
1520	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1521		flow_ctrl = rpn->flow_ctrl;
1522		if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1523			BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1524			flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1525			rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1526		}
1527	}
1528
1529	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1530		xon_char = rpn->xon_char;
1531		if (xon_char != RFCOMM_RPN_XON_CHAR) {
1532			BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1533			xon_char = RFCOMM_RPN_XON_CHAR;
1534			rpn_mask ^= RFCOMM_RPN_PM_XON;
1535		}
1536	}
1537
1538	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1539		xoff_char = rpn->xoff_char;
1540		if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1541			BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1542			xoff_char = RFCOMM_RPN_XOFF_CHAR;
1543			rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1544		}
1545	}
1546
1547rpn_out:
1548	rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1549			parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1550
1551	return 0;
1552}
1553
1554static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1555{
1556	struct rfcomm_rls *rls = (void *) skb->data;
1557	u8 dlci = __get_dlci(rls->dlci);
1558
1559	BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1560
1561	if (!cr)
1562		return 0;
1563
1564	/* We should probably do something with this information here. But
1565	 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1566	 * mandatory to recognise and respond to RLS */
1567
1568	rfcomm_send_rls(s, 0, dlci, rls->status);
1569
1570	return 0;
1571}
1572
1573static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1574{
1575	struct rfcomm_msc *msc = (void *) skb->data;
1576	struct rfcomm_dlc *d;
1577	u8 dlci = __get_dlci(msc->dlci);
1578
1579	BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1580
1581	d = rfcomm_dlc_get(s, dlci);
1582	if (!d)
1583		return 0;
1584
1585	if (cr) {
1586		if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1587			set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1588		else
1589			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1590
1591		rfcomm_dlc_lock(d);
1592
1593		d->remote_v24_sig = msc->v24_sig;
1594
1595		if (d->modem_status)
1596			d->modem_status(d, msc->v24_sig);
1597
1598		rfcomm_dlc_unlock(d);
1599
1600		rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1601
1602		d->mscex |= RFCOMM_MSCEX_RX;
1603	} else
1604		d->mscex |= RFCOMM_MSCEX_TX;
1605
1606	return 0;
1607}
1608
1609static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1610{
1611	struct rfcomm_mcc *mcc = (void *) skb->data;
1612	u8 type, cr, len;
1613
1614	cr   = __test_cr(mcc->type);
1615	type = __get_mcc_type(mcc->type);
1616	len  = __get_mcc_len(mcc->len);
1617
1618	BT_DBG("%p type 0x%x cr %d", s, type, cr);
1619
1620	skb_pull(skb, 2);
1621
1622	switch (type) {
1623	case RFCOMM_PN:
1624		rfcomm_recv_pn(s, cr, skb);
1625		break;
1626
1627	case RFCOMM_RPN:
1628		rfcomm_recv_rpn(s, cr, len, skb);
1629		break;
1630
1631	case RFCOMM_RLS:
1632		rfcomm_recv_rls(s, cr, skb);
1633		break;
1634
1635	case RFCOMM_MSC:
1636		rfcomm_recv_msc(s, cr, skb);
1637		break;
1638
1639	case RFCOMM_FCOFF:
1640		if (cr) {
1641			set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1642			rfcomm_send_fcoff(s, 0);
1643		}
1644		break;
1645
1646	case RFCOMM_FCON:
1647		if (cr) {
1648			clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1649			rfcomm_send_fcon(s, 0);
1650		}
1651		break;
1652
1653	case RFCOMM_TEST:
1654		if (cr)
1655			rfcomm_send_test(s, 0, skb->data, skb->len);
1656		break;
1657
1658	case RFCOMM_NSC:
1659		break;
1660
1661	default:
1662		BT_ERR("Unknown control type 0x%02x", type);
1663		rfcomm_send_nsc(s, cr, type);
1664		break;
1665	}
1666	return 0;
1667}
1668
1669static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1670{
1671	struct rfcomm_dlc *d;
1672
1673	BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1674
1675	d = rfcomm_dlc_get(s, dlci);
1676	if (!d) {
1677		rfcomm_send_dm(s, dlci);
1678		goto drop;
1679	}
1680
1681	if (pf && d->cfc) {
1682		u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1683
1684		d->tx_credits += credits;
1685		if (d->tx_credits)
1686			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1687	}
1688
1689	if (skb->len && d->state == BT_CONNECTED) {
1690		rfcomm_dlc_lock(d);
1691		d->rx_credits--;
1692		d->data_ready(d, skb);
1693		rfcomm_dlc_unlock(d);
1694		return 0;
1695	}
1696
1697drop:
1698	kfree_skb(skb);
1699	return 0;
1700}
1701
1702static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1703						struct sk_buff *skb)
1704{
1705	struct rfcomm_hdr *hdr = (void *) skb->data;
1706	u8 type, dlci, fcs;
1707
1708	if (!s) {
1709		/* no session, so free socket data */
1710		kfree_skb(skb);
1711		return s;
1712	}
1713
1714	dlci = __get_dlci(hdr->addr);
1715	type = __get_type(hdr->ctrl);
1716
1717	/* Trim FCS */
1718	skb->len--; skb->tail--;
1719	fcs = *(u8 *)skb_tail_pointer(skb);
1720
1721	if (__check_fcs(skb->data, type, fcs)) {
1722		BT_ERR("bad checksum in packet");
1723		kfree_skb(skb);
1724		return s;
1725	}
1726
1727	if (__test_ea(hdr->len))
1728		skb_pull(skb, 3);
1729	else
1730		skb_pull(skb, 4);
1731
1732	switch (type) {
1733	case RFCOMM_SABM:
1734		if (__test_pf(hdr->ctrl))
1735			rfcomm_recv_sabm(s, dlci);
1736		break;
1737
1738	case RFCOMM_DISC:
1739		if (__test_pf(hdr->ctrl))
1740			s = rfcomm_recv_disc(s, dlci);
1741		break;
1742
1743	case RFCOMM_UA:
1744		if (__test_pf(hdr->ctrl))
1745			s = rfcomm_recv_ua(s, dlci);
1746		break;
1747
1748	case RFCOMM_DM:
1749		s = rfcomm_recv_dm(s, dlci);
1750		break;
1751
1752	case RFCOMM_UIH:
1753		if (dlci) {
1754			rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1755			return s;
1756		}
1757		rfcomm_recv_mcc(s, skb);
1758		break;
1759
1760	default:
1761		BT_ERR("Unknown packet type 0x%02x", type);
1762		break;
1763	}
1764	kfree_skb(skb);
1765	return s;
1766}
1767
1768/* ---- Connection and data processing ---- */
1769
1770static void rfcomm_process_connect(struct rfcomm_session *s)
1771{
1772	struct rfcomm_dlc *d;
1773	struct list_head *p, *n;
1774
1775	BT_DBG("session %p state %ld", s, s->state);
1776
1777	list_for_each_safe(p, n, &s->dlcs) {
1778		d = list_entry(p, struct rfcomm_dlc, list);
1779		if (d->state == BT_CONFIG) {
1780			d->mtu = s->mtu;
1781			if (rfcomm_check_security(d)) {
1782				rfcomm_send_pn(s, 1, d);
1783			} else {
1784				set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1785				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1786			}
1787		}
1788	}
1789}
1790
1791/* Send data queued for the DLC.
1792 * Return number of frames left in the queue.
1793 */
1794static int rfcomm_process_tx(struct rfcomm_dlc *d)
1795{
1796	struct sk_buff *skb;
1797	int err;
1798
1799	BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1800			d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1801
1802	/* Send pending MSC */
1803	if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1804		rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1805
1806	if (d->cfc) {
1807		/* CFC enabled.
1808		 * Give them some credits */
1809		if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1810				d->rx_credits <= (d->cfc >> 2)) {
1811			rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1812			d->rx_credits = d->cfc;
1813		}
1814	} else {
1815		/* CFC disabled.
1816		 * Give ourselves some credits */
1817		d->tx_credits = 5;
1818	}
1819
1820	if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1821		return skb_queue_len(&d->tx_queue);
1822
1823	while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1824		err = rfcomm_send_frame(d->session, skb->data, skb->len);
1825		if (err < 0) {
1826			skb_queue_head(&d->tx_queue, skb);
1827			break;
1828		}
1829		kfree_skb(skb);
1830		d->tx_credits--;
1831	}
1832
1833	if (d->cfc && !d->tx_credits) {
1834		/* We're out of TX credits.
1835		 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1836		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1837	}
1838
1839	return skb_queue_len(&d->tx_queue);
1840}
1841
1842static void rfcomm_process_dlcs(struct rfcomm_session *s)
1843{
1844	struct rfcomm_dlc *d;
1845	struct list_head *p, *n;
1846
1847	BT_DBG("session %p state %ld", s, s->state);
1848
1849	list_for_each_safe(p, n, &s->dlcs) {
1850		d = list_entry(p, struct rfcomm_dlc, list);
1851
1852		if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1853			__rfcomm_dlc_close(d, ETIMEDOUT);
1854			continue;
1855		}
1856
1857		if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1858			__rfcomm_dlc_close(d, ECONNREFUSED);
1859			continue;
1860		}
1861
1862		if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1863			rfcomm_dlc_clear_timer(d);
1864			if (d->out) {
1865				rfcomm_send_pn(s, 1, d);
1866				rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1867			} else {
1868				if (d->defer_setup) {
1869					set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1870					rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1871
1872					rfcomm_dlc_lock(d);
1873					d->state = BT_CONNECT2;
1874					d->state_change(d, 0);
1875					rfcomm_dlc_unlock(d);
1876				} else
1877					rfcomm_dlc_accept(d);
1878			}
1879			continue;
1880		} else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1881			rfcomm_dlc_clear_timer(d);
1882			if (!d->out)
1883				rfcomm_send_dm(s, d->dlci);
1884			else
1885				d->state = BT_CLOSED;
1886			__rfcomm_dlc_close(d, ECONNREFUSED);
1887			continue;
1888		}
1889
1890		if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1891			continue;
1892
1893		if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1894			continue;
1895
1896		if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1897						d->mscex == RFCOMM_MSCEX_OK)
1898			rfcomm_process_tx(d);
1899	}
1900}
1901
1902static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1903{
1904	struct socket *sock = s->sock;
1905	struct sock *sk = sock->sk;
1906	struct sk_buff *skb;
1907
1908	BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1909
1910	/* Get data directly from socket receive queue without copying it. */
1911	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1912		skb_orphan(skb);
1913		if (!skb_linearize(skb)) {
1914			s = rfcomm_recv_frame(s, skb);
1915			if (!s)
1916				break;
1917		} else {
1918			kfree_skb(skb);
1919		}
1920	}
1921
1922	if (s && (sk->sk_state == BT_CLOSED))
1923		s = rfcomm_session_close(s, sk->sk_err);
1924
1925	return s;
1926}
1927
1928static void rfcomm_accept_connection(struct rfcomm_session *s)
1929{
1930	struct socket *sock = s->sock, *nsock;
1931	int err;
1932
1933	/* Fast check for a new connection.
1934	 * Avoids unnesesary socket allocations. */
1935	if (list_empty(&bt_sk(sock->sk)->accept_q))
1936		return;
1937
1938	BT_DBG("session %p", s);
1939
1940	err = kernel_accept(sock, &nsock, O_NONBLOCK);
1941	if (err < 0)
1942		return;
1943
1944	/* Set our callbacks */
1945	nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1946	nsock->sk->sk_state_change = rfcomm_l2state_change;
1947
1948	s = rfcomm_session_add(nsock, BT_OPEN);
1949	if (s) {
1950		/* We should adjust MTU on incoming sessions.
1951		 * L2CAP MTU minus UIH header and FCS. */
1952		s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1953				l2cap_pi(nsock->sk)->chan->imtu) - 5;
1954
1955		rfcomm_schedule();
1956	} else
1957		sock_release(nsock);
1958}
1959
1960static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1961{
1962	struct sock *sk = s->sock->sk;
1963
1964	BT_DBG("%p state %ld", s, s->state);
1965
1966	switch (sk->sk_state) {
1967	case BT_CONNECTED:
1968		s->state = BT_CONNECT;
1969
1970		/* We can adjust MTU on outgoing sessions.
1971		 * L2CAP MTU minus UIH header and FCS. */
1972		s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1973
1974		rfcomm_send_sabm(s, 0);
1975		break;
1976
1977	case BT_CLOSED:
1978		s = rfcomm_session_close(s, sk->sk_err);
1979		break;
1980	}
1981	return s;
1982}
1983
1984static void rfcomm_process_sessions(void)
1985{
1986	struct list_head *p, *n;
1987
1988	rfcomm_lock();
1989
1990	list_for_each_safe(p, n, &session_list) {
1991		struct rfcomm_session *s;
1992		s = list_entry(p, struct rfcomm_session, list);
1993
1994		if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1995			s->state = BT_DISCONN;
1996			rfcomm_send_disc(s, 0);
1997			continue;
1998		}
1999
2000		switch (s->state) {
2001		case BT_LISTEN:
2002			rfcomm_accept_connection(s);
2003			continue;
2004
2005		case BT_BOUND:
2006			s = rfcomm_check_connection(s);
2007			break;
2008
2009		default:
2010			s = rfcomm_process_rx(s);
2011			break;
2012		}
2013
2014		if (s)
2015			rfcomm_process_dlcs(s);
2016	}
2017
2018	rfcomm_unlock();
2019}
2020
2021static int rfcomm_add_listener(bdaddr_t *ba)
2022{
2023	struct sockaddr_l2 addr;
2024	struct socket *sock;
2025	struct sock *sk;
2026	struct rfcomm_session *s;
2027	int    err = 0;
2028
2029	/* Create socket */
2030	err = rfcomm_l2sock_create(&sock);
2031	if (err < 0) {
2032		BT_ERR("Create socket failed %d", err);
2033		return err;
2034	}
2035
2036	/* Bind socket */
2037	bacpy(&addr.l2_bdaddr, ba);
2038	addr.l2_family = AF_BLUETOOTH;
2039	addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
2040	addr.l2_cid    = 0;
2041	addr.l2_bdaddr_type = BDADDR_BREDR;
2042	err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2043	if (err < 0) {
2044		BT_ERR("Bind failed %d", err);
2045		goto failed;
2046	}
2047
2048	/* Set L2CAP options */
2049	sk = sock->sk;
2050	lock_sock(sk);
2051	l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2052	release_sock(sk);
2053
2054	/* Start listening on the socket */
2055	err = kernel_listen(sock, 10);
2056	if (err) {
2057		BT_ERR("Listen failed %d", err);
2058		goto failed;
2059	}
2060
2061	/* Add listening session */
2062	s = rfcomm_session_add(sock, BT_LISTEN);
2063	if (!s) {
2064		err = -ENOMEM;
2065		goto failed;
2066	}
2067
2068	return 0;
2069failed:
2070	sock_release(sock);
2071	return err;
2072}
2073
2074static void rfcomm_kill_listener(void)
2075{
2076	struct rfcomm_session *s;
2077	struct list_head *p, *n;
2078
2079	BT_DBG("");
2080
2081	list_for_each_safe(p, n, &session_list) {
2082		s = list_entry(p, struct rfcomm_session, list);
2083		rfcomm_session_del(s);
2084	}
2085}
2086
2087static int rfcomm_run(void *unused)
2088{
2089	BT_DBG("");
2090
2091	set_user_nice(current, -10);
2092
2093	rfcomm_add_listener(BDADDR_ANY);
2094
2095	while (1) {
2096		set_current_state(TASK_INTERRUPTIBLE);
2097
2098		if (kthread_should_stop())
2099			break;
2100
2101		/* Process stuff */
2102		rfcomm_process_sessions();
2103
2104		schedule();
2105	}
2106	__set_current_state(TASK_RUNNING);
2107
2108	rfcomm_kill_listener();
2109
2110	return 0;
2111}
2112
2113static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2114{
2115	struct rfcomm_session *s;
2116	struct rfcomm_dlc *d;
2117	struct list_head *p, *n;
2118
2119	BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2120
2121	s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2122	if (!s)
2123		return;
2124
2125	list_for_each_safe(p, n, &s->dlcs) {
2126		d = list_entry(p, struct rfcomm_dlc, list);
2127
2128		if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2129			rfcomm_dlc_clear_timer(d);
2130			if (status || encrypt == 0x00) {
2131				set_bit(RFCOMM_ENC_DROP, &d->flags);
2132				continue;
2133			}
2134		}
2135
2136		if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2137			if (d->sec_level == BT_SECURITY_MEDIUM) {
2138				set_bit(RFCOMM_SEC_PENDING, &d->flags);
2139				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2140				continue;
2141			} else if (d->sec_level == BT_SECURITY_HIGH ||
2142				   d->sec_level == BT_SECURITY_FIPS) {
2143				set_bit(RFCOMM_ENC_DROP, &d->flags);
2144				continue;
2145			}
2146		}
2147
2148		if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2149			continue;
2150
2151		if (!status && hci_conn_check_secure(conn, d->sec_level))
2152			set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2153		else
2154			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2155	}
2156
2157	rfcomm_schedule();
2158}
2159
2160static struct hci_cb rfcomm_cb = {
2161	.name		= "RFCOMM",
2162	.security_cfm	= rfcomm_security_cfm
2163};
2164
2165static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2166{
2167	struct rfcomm_session *s;
2168
2169	rfcomm_lock();
2170
2171	list_for_each_entry(s, &session_list, list) {
2172		struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
2173		struct rfcomm_dlc *d;
2174		list_for_each_entry(d, &s->dlcs, list) {
2175			seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2176				   &chan->src, &chan->dst,
2177				   d->state, d->dlci, d->mtu,
2178				   d->rx_credits, d->tx_credits);
2179		}
2180	}
2181
2182	rfcomm_unlock();
2183
2184	return 0;
2185}
2186
2187static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2188{
2189	return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2190}
2191
2192static const struct file_operations rfcomm_dlc_debugfs_fops = {
2193	.open		= rfcomm_dlc_debugfs_open,
2194	.read		= seq_read,
2195	.llseek		= seq_lseek,
2196	.release	= single_release,
2197};
2198
2199static struct dentry *rfcomm_dlc_debugfs;
2200
2201/* ---- Initialization ---- */
2202static int __init rfcomm_init(void)
2203{
2204	int err;
2205
2206	hci_register_cb(&rfcomm_cb);
2207
2208	rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2209	if (IS_ERR(rfcomm_thread)) {
2210		err = PTR_ERR(rfcomm_thread);
2211		goto unregister;
2212	}
2213
2214	err = rfcomm_init_ttys();
2215	if (err < 0)
2216		goto stop;
2217
2218	err = rfcomm_init_sockets();
2219	if (err < 0)
2220		goto cleanup;
2221
2222	BT_INFO("RFCOMM ver %s", VERSION);
2223
2224	if (IS_ERR_OR_NULL(bt_debugfs))
2225		return 0;
2226
2227	rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2228						 bt_debugfs, NULL,
2229						 &rfcomm_dlc_debugfs_fops);
2230
2231	return 0;
2232
2233cleanup:
2234	rfcomm_cleanup_ttys();
2235
2236stop:
2237	kthread_stop(rfcomm_thread);
2238
2239unregister:
2240	hci_unregister_cb(&rfcomm_cb);
2241
2242	return err;
2243}
2244
2245static void __exit rfcomm_exit(void)
2246{
2247	debugfs_remove(rfcomm_dlc_debugfs);
2248
2249	hci_unregister_cb(&rfcomm_cb);
2250
2251	kthread_stop(rfcomm_thread);
2252
2253	rfcomm_cleanup_ttys();
2254
2255	rfcomm_cleanup_sockets();
2256}
2257
2258module_init(rfcomm_init);
2259module_exit(rfcomm_exit);
2260
2261module_param(disable_cfc, bool, 0644);
2262MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2263
2264module_param(channel_mtu, int, 0644);
2265MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2266
2267module_param(l2cap_mtu, uint, 0644);
2268MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2269
2270module_param(l2cap_ertm, bool, 0644);
2271MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2272
2273MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2274MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2275MODULE_VERSION(VERSION);
2276MODULE_LICENSE("GPL");
2277MODULE_ALIAS("bt-proto-3");
2278