1/* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22*/ 23 24/* 25 * Bluetooth RFCOMM core. 26 */ 27 28#include <linux/module.h> 29#include <linux/debugfs.h> 30#include <linux/kthread.h> 31#include <asm/unaligned.h> 32 33#include <net/bluetooth/bluetooth.h> 34#include <net/bluetooth/hci_core.h> 35#include <net/bluetooth/l2cap.h> 36#include <net/bluetooth/rfcomm.h> 37 38#define VERSION "1.11" 39 40static bool disable_cfc; 41static bool l2cap_ertm; 42static int channel_mtu = -1; 43 44static struct task_struct *rfcomm_thread; 45 46static DEFINE_MUTEX(rfcomm_mutex); 47#define rfcomm_lock() mutex_lock(&rfcomm_mutex) 48#define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 49 50 51static LIST_HEAD(session_list); 52 53static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len); 54static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 55static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 56static int rfcomm_queue_disc(struct rfcomm_dlc *d); 57static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type); 58static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d); 59static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig); 60static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len); 61static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits); 62static void rfcomm_make_uih(struct sk_buff *skb, u8 addr); 63 64static void rfcomm_process_connect(struct rfcomm_session *s); 65 66static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 67 bdaddr_t *dst, 68 u8 sec_level, 69 int *err); 70static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst); 71static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s); 72 73/* ---- RFCOMM frame parsing macros ---- */ 74#define __get_dlci(b) ((b & 0xfc) >> 2) 75#define __get_type(b) ((b & 0xef)) 76 77#define __test_ea(b) ((b & 0x01)) 78#define __test_cr(b) (!!(b & 0x02)) 79#define __test_pf(b) (!!(b & 0x10)) 80 81#define __session_dir(s) ((s)->initiator ? 0x00 : 0x01) 82 83#define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) 84#define __ctrl(type, pf) (((type & 0xef) | (pf << 4))) 85#define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir) 86#define __srv_channel(dlci) (dlci >> 1) 87 88#define __len8(len) (((len) << 1) | 1) 89#define __len16(len) ((len) << 1) 90 91/* MCC macros */ 92#define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01)) 93#define __get_mcc_type(b) ((b & 0xfc) >> 2) 94#define __get_mcc_len(b) ((b & 0xfe) >> 1) 95 96/* RPN macros */ 97#define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3)) 98#define __get_rpn_data_bits(line) ((line) & 0x3) 99#define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1) 100#define __get_rpn_parity(line) (((line) >> 3) & 0x7) 101 102static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq); 103 104static void rfcomm_schedule(void) 105{ 106 wake_up_all(&rfcomm_wq); 107} 108 109/* ---- RFCOMM FCS computation ---- */ 110 111/* reversed, 8-bit, poly=0x07 */ 112static unsigned char rfcomm_crc_table[256] = { 113 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 114 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 115 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 116 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 117 118 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 119 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 120 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 121 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 122 123 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 124 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 125 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 126 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 127 128 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 129 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 130 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 131 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 132 133 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 134 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 135 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 136 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 137 138 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 139 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 140 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 141 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 142 143 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 144 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 145 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 146 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 147 148 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 149 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 150 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 151 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 152}; 153 154/* CRC on 2 bytes */ 155#define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]]) 156 157/* FCS on 2 bytes */ 158static inline u8 __fcs(u8 *data) 159{ 160 return 0xff - __crc(data); 161} 162 163/* FCS on 3 bytes */ 164static inline u8 __fcs2(u8 *data) 165{ 166 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]]; 167} 168 169/* Check FCS */ 170static inline int __check_fcs(u8 *data, int type, u8 fcs) 171{ 172 u8 f = __crc(data); 173 174 if (type != RFCOMM_UIH) 175 f = rfcomm_crc_table[f ^ data[2]]; 176 177 return rfcomm_crc_table[f ^ fcs] != 0xcf; 178} 179 180/* ---- L2CAP callbacks ---- */ 181static void rfcomm_l2state_change(struct sock *sk) 182{ 183 BT_DBG("%p state %d", sk, sk->sk_state); 184 rfcomm_schedule(); 185} 186 187static void rfcomm_l2data_ready(struct sock *sk) 188{ 189 BT_DBG("%p", sk); 190 rfcomm_schedule(); 191} 192 193static int rfcomm_l2sock_create(struct socket **sock) 194{ 195 int err; 196 197 BT_DBG(""); 198 199 err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock); 200 if (!err) { 201 struct sock *sk = (*sock)->sk; 202 sk->sk_data_ready = rfcomm_l2data_ready; 203 sk->sk_state_change = rfcomm_l2state_change; 204 } 205 return err; 206} 207 208static int rfcomm_check_security(struct rfcomm_dlc *d) 209{ 210 struct sock *sk = d->session->sock->sk; 211 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 212 213 __u8 auth_type; 214 215 switch (d->sec_level) { 216 case BT_SECURITY_HIGH: 217 case BT_SECURITY_FIPS: 218 auth_type = HCI_AT_GENERAL_BONDING_MITM; 219 break; 220 case BT_SECURITY_MEDIUM: 221 auth_type = HCI_AT_GENERAL_BONDING; 222 break; 223 default: 224 auth_type = HCI_AT_NO_BONDING; 225 break; 226 } 227 228 return hci_conn_security(conn->hcon, d->sec_level, auth_type, 229 d->out); 230} 231 232static void rfcomm_session_timeout(struct timer_list *t) 233{ 234 struct rfcomm_session *s = from_timer(s, t, timer); 235 236 BT_DBG("session %p state %ld", s, s->state); 237 238 set_bit(RFCOMM_TIMED_OUT, &s->flags); 239 rfcomm_schedule(); 240} 241 242static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout) 243{ 244 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout); 245 246 mod_timer(&s->timer, jiffies + timeout); 247} 248 249static void rfcomm_session_clear_timer(struct rfcomm_session *s) 250{ 251 BT_DBG("session %p state %ld", s, s->state); 252 253 del_timer_sync(&s->timer); 254} 255 256/* ---- RFCOMM DLCs ---- */ 257static void rfcomm_dlc_timeout(struct timer_list *t) 258{ 259 struct rfcomm_dlc *d = from_timer(d, t, timer); 260 261 BT_DBG("dlc %p state %ld", d, d->state); 262 263 set_bit(RFCOMM_TIMED_OUT, &d->flags); 264 rfcomm_dlc_put(d); 265 rfcomm_schedule(); 266} 267 268static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout) 269{ 270 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout); 271 272 if (!mod_timer(&d->timer, jiffies + timeout)) 273 rfcomm_dlc_hold(d); 274} 275 276static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d) 277{ 278 BT_DBG("dlc %p state %ld", d, d->state); 279 280 if (del_timer(&d->timer)) 281 rfcomm_dlc_put(d); 282} 283 284static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d) 285{ 286 BT_DBG("%p", d); 287 288 d->state = BT_OPEN; 289 d->flags = 0; 290 d->mscex = 0; 291 d->sec_level = BT_SECURITY_LOW; 292 d->mtu = RFCOMM_DEFAULT_MTU; 293 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV; 294 295 d->cfc = RFCOMM_CFC_DISABLED; 296 d->rx_credits = RFCOMM_DEFAULT_CREDITS; 297} 298 299struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio) 300{ 301 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio); 302 303 if (!d) 304 return NULL; 305 306 timer_setup(&d->timer, rfcomm_dlc_timeout, 0); 307 308 skb_queue_head_init(&d->tx_queue); 309 mutex_init(&d->lock); 310 refcount_set(&d->refcnt, 1); 311 312 rfcomm_dlc_clear_state(d); 313 314 BT_DBG("%p", d); 315 316 return d; 317} 318 319void rfcomm_dlc_free(struct rfcomm_dlc *d) 320{ 321 BT_DBG("%p", d); 322 323 skb_queue_purge(&d->tx_queue); 324 kfree(d); 325} 326 327static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d) 328{ 329 BT_DBG("dlc %p session %p", d, s); 330 331 rfcomm_session_clear_timer(s); 332 rfcomm_dlc_hold(d); 333 list_add(&d->list, &s->dlcs); 334 d->session = s; 335} 336 337static void rfcomm_dlc_unlink(struct rfcomm_dlc *d) 338{ 339 struct rfcomm_session *s = d->session; 340 341 BT_DBG("dlc %p refcnt %d session %p", d, refcount_read(&d->refcnt), s); 342 343 list_del(&d->list); 344 d->session = NULL; 345 rfcomm_dlc_put(d); 346 347 if (list_empty(&s->dlcs)) 348 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT); 349} 350 351static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci) 352{ 353 struct rfcomm_dlc *d; 354 355 list_for_each_entry(d, &s->dlcs, list) 356 if (d->dlci == dlci) 357 return d; 358 359 return NULL; 360} 361 362static int rfcomm_check_channel(u8 channel) 363{ 364 return channel < 1 || channel > 30; 365} 366 367static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 368{ 369 struct rfcomm_session *s; 370 int err = 0; 371 u8 dlci; 372 373 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d", 374 d, d->state, src, dst, channel); 375 376 if (rfcomm_check_channel(channel)) 377 return -EINVAL; 378 379 if (d->state != BT_OPEN && d->state != BT_CLOSED) 380 return 0; 381 382 s = rfcomm_session_get(src, dst); 383 if (!s) { 384 s = rfcomm_session_create(src, dst, d->sec_level, &err); 385 if (!s) 386 return err; 387 } 388 389 dlci = __dlci(__session_dir(s), channel); 390 391 /* Check if DLCI already exists */ 392 if (rfcomm_dlc_get(s, dlci)) 393 return -EBUSY; 394 395 rfcomm_dlc_clear_state(d); 396 397 d->dlci = dlci; 398 d->addr = __addr(s->initiator, dlci); 399 d->priority = 7; 400 401 d->state = BT_CONFIG; 402 rfcomm_dlc_link(s, d); 403 404 d->out = 1; 405 406 d->mtu = s->mtu; 407 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 408 409 if (s->state == BT_CONNECTED) { 410 if (rfcomm_check_security(d)) 411 rfcomm_send_pn(s, 1, d); 412 else 413 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 414 } 415 416 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 417 418 return 0; 419} 420 421int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 422{ 423 int r; 424 425 rfcomm_lock(); 426 427 r = __rfcomm_dlc_open(d, src, dst, channel); 428 429 rfcomm_unlock(); 430 return r; 431} 432 433static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d) 434{ 435 struct rfcomm_session *s = d->session; 436 437 d->state = BT_DISCONN; 438 if (skb_queue_empty(&d->tx_queue)) { 439 rfcomm_send_disc(s, d->dlci); 440 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT); 441 } else { 442 rfcomm_queue_disc(d); 443 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2); 444 } 445} 446 447static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 448{ 449 struct rfcomm_session *s = d->session; 450 if (!s) 451 return 0; 452 453 BT_DBG("dlc %p state %ld dlci %d err %d session %p", 454 d, d->state, d->dlci, err, s); 455 456 switch (d->state) { 457 case BT_CONNECT: 458 case BT_CONFIG: 459 case BT_OPEN: 460 case BT_CONNECT2: 461 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 462 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 463 rfcomm_schedule(); 464 return 0; 465 } 466 } 467 468 switch (d->state) { 469 case BT_CONNECT: 470 case BT_CONNECTED: 471 __rfcomm_dlc_disconn(d); 472 break; 473 474 case BT_CONFIG: 475 if (s->state != BT_BOUND) { 476 __rfcomm_dlc_disconn(d); 477 break; 478 } 479 /* if closing a dlc in a session that hasn't been started, 480 * just close and unlink the dlc 481 */ 482 fallthrough; 483 484 default: 485 rfcomm_dlc_clear_timer(d); 486 487 rfcomm_dlc_lock(d); 488 d->state = BT_CLOSED; 489 d->state_change(d, err); 490 rfcomm_dlc_unlock(d); 491 492 skb_queue_purge(&d->tx_queue); 493 rfcomm_dlc_unlink(d); 494 } 495 496 return 0; 497} 498 499int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 500{ 501 int r = 0; 502 struct rfcomm_dlc *d_list; 503 struct rfcomm_session *s, *s_list; 504 505 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err); 506 507 rfcomm_lock(); 508 509 s = d->session; 510 if (!s) 511 goto no_session; 512 513 /* after waiting on the mutex check the session still exists 514 * then check the dlc still exists 515 */ 516 list_for_each_entry(s_list, &session_list, list) { 517 if (s_list == s) { 518 list_for_each_entry(d_list, &s->dlcs, list) { 519 if (d_list == d) { 520 r = __rfcomm_dlc_close(d, err); 521 break; 522 } 523 } 524 break; 525 } 526 } 527 528no_session: 529 rfcomm_unlock(); 530 return r; 531} 532 533struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel) 534{ 535 struct rfcomm_session *s; 536 struct rfcomm_dlc *dlc = NULL; 537 u8 dlci; 538 539 if (rfcomm_check_channel(channel)) 540 return ERR_PTR(-EINVAL); 541 542 rfcomm_lock(); 543 s = rfcomm_session_get(src, dst); 544 if (s) { 545 dlci = __dlci(__session_dir(s), channel); 546 dlc = rfcomm_dlc_get(s, dlci); 547 } 548 rfcomm_unlock(); 549 return dlc; 550} 551 552static int rfcomm_dlc_send_frag(struct rfcomm_dlc *d, struct sk_buff *frag) 553{ 554 int len = frag->len; 555 556 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 557 558 if (len > d->mtu) 559 return -EINVAL; 560 561 rfcomm_make_uih(frag, d->addr); 562 __skb_queue_tail(&d->tx_queue, frag); 563 564 return len; 565} 566 567int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 568{ 569 unsigned long flags; 570 struct sk_buff *frag, *next; 571 int len; 572 573 if (d->state != BT_CONNECTED) 574 return -ENOTCONN; 575 576 frag = skb_shinfo(skb)->frag_list; 577 skb_shinfo(skb)->frag_list = NULL; 578 579 /* Queue all fragments atomically. */ 580 spin_lock_irqsave(&d->tx_queue.lock, flags); 581 582 len = rfcomm_dlc_send_frag(d, skb); 583 if (len < 0 || !frag) 584 goto unlock; 585 586 for (; frag; frag = next) { 587 int ret; 588 589 next = frag->next; 590 591 ret = rfcomm_dlc_send_frag(d, frag); 592 if (ret < 0) { 593 dev_kfree_skb_irq(frag); 594 goto unlock; 595 } 596 597 len += ret; 598 } 599 600unlock: 601 spin_unlock_irqrestore(&d->tx_queue.lock, flags); 602 603 if (len > 0 && !test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 604 rfcomm_schedule(); 605 return len; 606} 607 608void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb) 609{ 610 int len = skb->len; 611 612 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 613 614 rfcomm_make_uih(skb, d->addr); 615 skb_queue_tail(&d->tx_queue, skb); 616 617 if (d->state == BT_CONNECTED && 618 !test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 619 rfcomm_schedule(); 620} 621 622void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 623{ 624 BT_DBG("dlc %p state %ld", d, d->state); 625 626 if (!d->cfc) { 627 d->v24_sig |= RFCOMM_V24_FC; 628 set_bit(RFCOMM_MSC_PENDING, &d->flags); 629 } 630 rfcomm_schedule(); 631} 632 633void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d) 634{ 635 BT_DBG("dlc %p state %ld", d, d->state); 636 637 if (!d->cfc) { 638 d->v24_sig &= ~RFCOMM_V24_FC; 639 set_bit(RFCOMM_MSC_PENDING, &d->flags); 640 } 641 rfcomm_schedule(); 642} 643 644/* 645 Set/get modem status functions use _local_ status i.e. what we report 646 to the other side. 647 Remote status is provided by dlc->modem_status() callback. 648 */ 649int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig) 650{ 651 BT_DBG("dlc %p state %ld v24_sig 0x%x", 652 d, d->state, v24_sig); 653 654 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags)) 655 v24_sig |= RFCOMM_V24_FC; 656 else 657 v24_sig &= ~RFCOMM_V24_FC; 658 659 d->v24_sig = v24_sig; 660 661 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags)) 662 rfcomm_schedule(); 663 664 return 0; 665} 666 667int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig) 668{ 669 BT_DBG("dlc %p state %ld v24_sig 0x%x", 670 d, d->state, d->v24_sig); 671 672 *v24_sig = d->v24_sig; 673 return 0; 674} 675 676/* ---- RFCOMM sessions ---- */ 677static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state) 678{ 679 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL); 680 681 if (!s) 682 return NULL; 683 684 BT_DBG("session %p sock %p", s, sock); 685 686 timer_setup(&s->timer, rfcomm_session_timeout, 0); 687 688 INIT_LIST_HEAD(&s->dlcs); 689 s->state = state; 690 s->sock = sock; 691 692 s->mtu = RFCOMM_DEFAULT_MTU; 693 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN; 694 695 /* Do not increment module usage count for listening sessions. 696 * Otherwise we won't be able to unload the module. */ 697 if (state != BT_LISTEN) 698 if (!try_module_get(THIS_MODULE)) { 699 kfree(s); 700 return NULL; 701 } 702 703 list_add(&s->list, &session_list); 704 705 return s; 706} 707 708static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s) 709{ 710 int state = s->state; 711 712 BT_DBG("session %p state %ld", s, s->state); 713 714 list_del(&s->list); 715 716 rfcomm_session_clear_timer(s); 717 sock_release(s->sock); 718 kfree(s); 719 720 if (state != BT_LISTEN) 721 module_put(THIS_MODULE); 722 723 return NULL; 724} 725 726static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst) 727{ 728 struct rfcomm_session *s, *n; 729 struct l2cap_chan *chan; 730 list_for_each_entry_safe(s, n, &session_list, list) { 731 chan = l2cap_pi(s->sock->sk)->chan; 732 733 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) && 734 !bacmp(&chan->dst, dst)) 735 return s; 736 } 737 return NULL; 738} 739 740static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s, 741 int err) 742{ 743 struct rfcomm_dlc *d, *n; 744 745 s->state = BT_CLOSED; 746 747 BT_DBG("session %p state %ld err %d", s, s->state, err); 748 749 /* Close all dlcs */ 750 list_for_each_entry_safe(d, n, &s->dlcs, list) { 751 d->state = BT_CLOSED; 752 __rfcomm_dlc_close(d, err); 753 } 754 755 rfcomm_session_clear_timer(s); 756 return rfcomm_session_del(s); 757} 758 759static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 760 bdaddr_t *dst, 761 u8 sec_level, 762 int *err) 763{ 764 struct rfcomm_session *s = NULL; 765 struct sockaddr_l2 addr; 766 struct socket *sock; 767 struct sock *sk; 768 769 BT_DBG("%pMR -> %pMR", src, dst); 770 771 *err = rfcomm_l2sock_create(&sock); 772 if (*err < 0) 773 return NULL; 774 775 bacpy(&addr.l2_bdaddr, src); 776 addr.l2_family = AF_BLUETOOTH; 777 addr.l2_psm = 0; 778 addr.l2_cid = 0; 779 addr.l2_bdaddr_type = BDADDR_BREDR; 780 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 781 if (*err < 0) 782 goto failed; 783 784 /* Set L2CAP options */ 785 sk = sock->sk; 786 lock_sock(sk); 787 /* Set MTU to 0 so L2CAP can auto select the MTU */ 788 l2cap_pi(sk)->chan->imtu = 0; 789 l2cap_pi(sk)->chan->sec_level = sec_level; 790 if (l2cap_ertm) 791 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM; 792 release_sock(sk); 793 794 s = rfcomm_session_add(sock, BT_BOUND); 795 if (!s) { 796 *err = -ENOMEM; 797 goto failed; 798 } 799 800 s->initiator = 1; 801 802 bacpy(&addr.l2_bdaddr, dst); 803 addr.l2_family = AF_BLUETOOTH; 804 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM); 805 addr.l2_cid = 0; 806 addr.l2_bdaddr_type = BDADDR_BREDR; 807 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK); 808 if (*err == 0 || *err == -EINPROGRESS) 809 return s; 810 811 return rfcomm_session_del(s); 812 813failed: 814 sock_release(sock); 815 return NULL; 816} 817 818void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst) 819{ 820 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan; 821 if (src) 822 bacpy(src, &chan->src); 823 if (dst) 824 bacpy(dst, &chan->dst); 825} 826 827/* ---- RFCOMM frame sending ---- */ 828static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len) 829{ 830 struct kvec iv = { data, len }; 831 struct msghdr msg; 832 833 BT_DBG("session %p len %d", s, len); 834 835 memset(&msg, 0, sizeof(msg)); 836 837 return kernel_sendmsg(s->sock, &msg, &iv, 1, len); 838} 839 840static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd) 841{ 842 BT_DBG("%p cmd %u", s, cmd->ctrl); 843 844 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd)); 845} 846 847static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 848{ 849 struct rfcomm_cmd cmd; 850 851 BT_DBG("%p dlci %d", s, dlci); 852 853 cmd.addr = __addr(s->initiator, dlci); 854 cmd.ctrl = __ctrl(RFCOMM_SABM, 1); 855 cmd.len = __len8(0); 856 cmd.fcs = __fcs2((u8 *) &cmd); 857 858 return rfcomm_send_cmd(s, &cmd); 859} 860 861static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci) 862{ 863 struct rfcomm_cmd cmd; 864 865 BT_DBG("%p dlci %d", s, dlci); 866 867 cmd.addr = __addr(!s->initiator, dlci); 868 cmd.ctrl = __ctrl(RFCOMM_UA, 1); 869 cmd.len = __len8(0); 870 cmd.fcs = __fcs2((u8 *) &cmd); 871 872 return rfcomm_send_cmd(s, &cmd); 873} 874 875static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci) 876{ 877 struct rfcomm_cmd cmd; 878 879 BT_DBG("%p dlci %d", s, dlci); 880 881 cmd.addr = __addr(s->initiator, dlci); 882 cmd.ctrl = __ctrl(RFCOMM_DISC, 1); 883 cmd.len = __len8(0); 884 cmd.fcs = __fcs2((u8 *) &cmd); 885 886 return rfcomm_send_cmd(s, &cmd); 887} 888 889static int rfcomm_queue_disc(struct rfcomm_dlc *d) 890{ 891 struct rfcomm_cmd *cmd; 892 struct sk_buff *skb; 893 894 BT_DBG("dlc %p dlci %d", d, d->dlci); 895 896 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL); 897 if (!skb) 898 return -ENOMEM; 899 900 cmd = __skb_put(skb, sizeof(*cmd)); 901 cmd->addr = d->addr; 902 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 903 cmd->len = __len8(0); 904 cmd->fcs = __fcs2((u8 *) cmd); 905 906 skb_queue_tail(&d->tx_queue, skb); 907 rfcomm_schedule(); 908 return 0; 909} 910 911static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci) 912{ 913 struct rfcomm_cmd cmd; 914 915 BT_DBG("%p dlci %d", s, dlci); 916 917 cmd.addr = __addr(!s->initiator, dlci); 918 cmd.ctrl = __ctrl(RFCOMM_DM, 1); 919 cmd.len = __len8(0); 920 cmd.fcs = __fcs2((u8 *) &cmd); 921 922 return rfcomm_send_cmd(s, &cmd); 923} 924 925static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) 926{ 927 struct rfcomm_hdr *hdr; 928 struct rfcomm_mcc *mcc; 929 u8 buf[16], *ptr = buf; 930 931 BT_DBG("%p cr %d type %d", s, cr, type); 932 933 hdr = (void *) ptr; ptr += sizeof(*hdr); 934 hdr->addr = __addr(s->initiator, 0); 935 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 936 hdr->len = __len8(sizeof(*mcc) + 1); 937 938 mcc = (void *) ptr; ptr += sizeof(*mcc); 939 mcc->type = __mcc_type(0, RFCOMM_NSC); 940 mcc->len = __len8(1); 941 942 /* Type that we didn't like */ 943 *ptr = __mcc_type(cr, type); ptr++; 944 945 *ptr = __fcs(buf); ptr++; 946 947 return rfcomm_send_frame(s, buf, ptr - buf); 948} 949 950static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 951{ 952 struct rfcomm_hdr *hdr; 953 struct rfcomm_mcc *mcc; 954 struct rfcomm_pn *pn; 955 u8 buf[16], *ptr = buf; 956 957 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu); 958 959 hdr = (void *) ptr; ptr += sizeof(*hdr); 960 hdr->addr = __addr(s->initiator, 0); 961 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 962 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn)); 963 964 mcc = (void *) ptr; ptr += sizeof(*mcc); 965 mcc->type = __mcc_type(cr, RFCOMM_PN); 966 mcc->len = __len8(sizeof(*pn)); 967 968 pn = (void *) ptr; ptr += sizeof(*pn); 969 pn->dlci = d->dlci; 970 pn->priority = d->priority; 971 pn->ack_timer = 0; 972 pn->max_retrans = 0; 973 974 if (s->cfc) { 975 pn->flow_ctrl = cr ? 0xf0 : 0xe0; 976 pn->credits = RFCOMM_DEFAULT_CREDITS; 977 } else { 978 pn->flow_ctrl = 0; 979 pn->credits = 0; 980 } 981 982 if (cr && channel_mtu >= 0) 983 pn->mtu = cpu_to_le16(channel_mtu); 984 else 985 pn->mtu = cpu_to_le16(d->mtu); 986 987 *ptr = __fcs(buf); ptr++; 988 989 return rfcomm_send_frame(s, buf, ptr - buf); 990} 991 992int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 993 u8 bit_rate, u8 data_bits, u8 stop_bits, 994 u8 parity, u8 flow_ctrl_settings, 995 u8 xon_char, u8 xoff_char, u16 param_mask) 996{ 997 struct rfcomm_hdr *hdr; 998 struct rfcomm_mcc *mcc; 999 struct rfcomm_rpn *rpn; 1000 u8 buf[16], *ptr = buf; 1001 1002 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x" 1003 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 1004 s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 1005 flow_ctrl_settings, xon_char, xoff_char, param_mask); 1006 1007 hdr = (void *) ptr; ptr += sizeof(*hdr); 1008 hdr->addr = __addr(s->initiator, 0); 1009 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1010 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn)); 1011 1012 mcc = (void *) ptr; ptr += sizeof(*mcc); 1013 mcc->type = __mcc_type(cr, RFCOMM_RPN); 1014 mcc->len = __len8(sizeof(*rpn)); 1015 1016 rpn = (void *) ptr; ptr += sizeof(*rpn); 1017 rpn->dlci = __addr(1, dlci); 1018 rpn->bit_rate = bit_rate; 1019 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity); 1020 rpn->flow_ctrl = flow_ctrl_settings; 1021 rpn->xon_char = xon_char; 1022 rpn->xoff_char = xoff_char; 1023 rpn->param_mask = cpu_to_le16(param_mask); 1024 1025 *ptr = __fcs(buf); ptr++; 1026 1027 return rfcomm_send_frame(s, buf, ptr - buf); 1028} 1029 1030static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 1031{ 1032 struct rfcomm_hdr *hdr; 1033 struct rfcomm_mcc *mcc; 1034 struct rfcomm_rls *rls; 1035 u8 buf[16], *ptr = buf; 1036 1037 BT_DBG("%p cr %d status 0x%x", s, cr, status); 1038 1039 hdr = (void *) ptr; ptr += sizeof(*hdr); 1040 hdr->addr = __addr(s->initiator, 0); 1041 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1042 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls)); 1043 1044 mcc = (void *) ptr; ptr += sizeof(*mcc); 1045 mcc->type = __mcc_type(cr, RFCOMM_RLS); 1046 mcc->len = __len8(sizeof(*rls)); 1047 1048 rls = (void *) ptr; ptr += sizeof(*rls); 1049 rls->dlci = __addr(1, dlci); 1050 rls->status = status; 1051 1052 *ptr = __fcs(buf); ptr++; 1053 1054 return rfcomm_send_frame(s, buf, ptr - buf); 1055} 1056 1057static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 1058{ 1059 struct rfcomm_hdr *hdr; 1060 struct rfcomm_mcc *mcc; 1061 struct rfcomm_msc *msc; 1062 u8 buf[16], *ptr = buf; 1063 1064 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig); 1065 1066 hdr = (void *) ptr; ptr += sizeof(*hdr); 1067 hdr->addr = __addr(s->initiator, 0); 1068 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1069 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc)); 1070 1071 mcc = (void *) ptr; ptr += sizeof(*mcc); 1072 mcc->type = __mcc_type(cr, RFCOMM_MSC); 1073 mcc->len = __len8(sizeof(*msc)); 1074 1075 msc = (void *) ptr; ptr += sizeof(*msc); 1076 msc->dlci = __addr(1, dlci); 1077 msc->v24_sig = v24_sig | 0x01; 1078 1079 *ptr = __fcs(buf); ptr++; 1080 1081 return rfcomm_send_frame(s, buf, ptr - buf); 1082} 1083 1084static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 1085{ 1086 struct rfcomm_hdr *hdr; 1087 struct rfcomm_mcc *mcc; 1088 u8 buf[16], *ptr = buf; 1089 1090 BT_DBG("%p cr %d", s, cr); 1091 1092 hdr = (void *) ptr; ptr += sizeof(*hdr); 1093 hdr->addr = __addr(s->initiator, 0); 1094 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1095 hdr->len = __len8(sizeof(*mcc)); 1096 1097 mcc = (void *) ptr; ptr += sizeof(*mcc); 1098 mcc->type = __mcc_type(cr, RFCOMM_FCOFF); 1099 mcc->len = __len8(0); 1100 1101 *ptr = __fcs(buf); ptr++; 1102 1103 return rfcomm_send_frame(s, buf, ptr - buf); 1104} 1105 1106static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1107{ 1108 struct rfcomm_hdr *hdr; 1109 struct rfcomm_mcc *mcc; 1110 u8 buf[16], *ptr = buf; 1111 1112 BT_DBG("%p cr %d", s, cr); 1113 1114 hdr = (void *) ptr; ptr += sizeof(*hdr); 1115 hdr->addr = __addr(s->initiator, 0); 1116 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1117 hdr->len = __len8(sizeof(*mcc)); 1118 1119 mcc = (void *) ptr; ptr += sizeof(*mcc); 1120 mcc->type = __mcc_type(cr, RFCOMM_FCON); 1121 mcc->len = __len8(0); 1122 1123 *ptr = __fcs(buf); ptr++; 1124 1125 return rfcomm_send_frame(s, buf, ptr - buf); 1126} 1127 1128static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1129{ 1130 struct socket *sock = s->sock; 1131 struct kvec iv[3]; 1132 struct msghdr msg; 1133 unsigned char hdr[5], crc[1]; 1134 1135 if (len > 125) 1136 return -EINVAL; 1137 1138 BT_DBG("%p cr %d", s, cr); 1139 1140 hdr[0] = __addr(s->initiator, 0); 1141 hdr[1] = __ctrl(RFCOMM_UIH, 0); 1142 hdr[2] = 0x01 | ((len + 2) << 1); 1143 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2); 1144 hdr[4] = 0x01 | (len << 1); 1145 1146 crc[0] = __fcs(hdr); 1147 1148 iv[0].iov_base = hdr; 1149 iv[0].iov_len = 5; 1150 iv[1].iov_base = pattern; 1151 iv[1].iov_len = len; 1152 iv[2].iov_base = crc; 1153 iv[2].iov_len = 1; 1154 1155 memset(&msg, 0, sizeof(msg)); 1156 1157 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len); 1158} 1159 1160static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits) 1161{ 1162 struct rfcomm_hdr *hdr; 1163 u8 buf[16], *ptr = buf; 1164 1165 BT_DBG("%p addr %d credits %d", s, addr, credits); 1166 1167 hdr = (void *) ptr; ptr += sizeof(*hdr); 1168 hdr->addr = addr; 1169 hdr->ctrl = __ctrl(RFCOMM_UIH, 1); 1170 hdr->len = __len8(0); 1171 1172 *ptr = credits; ptr++; 1173 1174 *ptr = __fcs(buf); ptr++; 1175 1176 return rfcomm_send_frame(s, buf, ptr - buf); 1177} 1178 1179static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1180{ 1181 struct rfcomm_hdr *hdr; 1182 int len = skb->len; 1183 u8 *crc; 1184 1185 if (len > 127) { 1186 hdr = skb_push(skb, 4); 1187 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len); 1188 } else { 1189 hdr = skb_push(skb, 3); 1190 hdr->len = __len8(len); 1191 } 1192 hdr->addr = addr; 1193 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1194 1195 crc = skb_put(skb, 1); 1196 *crc = __fcs((void *) hdr); 1197} 1198 1199/* ---- RFCOMM frame reception ---- */ 1200static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) 1201{ 1202 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1203 1204 if (dlci) { 1205 /* Data channel */ 1206 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1207 if (!d) { 1208 rfcomm_send_dm(s, dlci); 1209 return s; 1210 } 1211 1212 switch (d->state) { 1213 case BT_CONNECT: 1214 rfcomm_dlc_clear_timer(d); 1215 1216 rfcomm_dlc_lock(d); 1217 d->state = BT_CONNECTED; 1218 d->state_change(d, 0); 1219 rfcomm_dlc_unlock(d); 1220 1221 rfcomm_send_msc(s, 1, dlci, d->v24_sig); 1222 break; 1223 1224 case BT_DISCONN: 1225 d->state = BT_CLOSED; 1226 __rfcomm_dlc_close(d, 0); 1227 1228 if (list_empty(&s->dlcs)) { 1229 s->state = BT_DISCONN; 1230 rfcomm_send_disc(s, 0); 1231 rfcomm_session_clear_timer(s); 1232 } 1233 1234 break; 1235 } 1236 } else { 1237 /* Control channel */ 1238 switch (s->state) { 1239 case BT_CONNECT: 1240 s->state = BT_CONNECTED; 1241 rfcomm_process_connect(s); 1242 break; 1243 1244 case BT_DISCONN: 1245 s = rfcomm_session_close(s, ECONNRESET); 1246 break; 1247 } 1248 } 1249 return s; 1250} 1251 1252static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci) 1253{ 1254 int err = 0; 1255 1256 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1257 1258 if (dlci) { 1259 /* Data DLC */ 1260 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1261 if (d) { 1262 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1263 err = ECONNREFUSED; 1264 else 1265 err = ECONNRESET; 1266 1267 d->state = BT_CLOSED; 1268 __rfcomm_dlc_close(d, err); 1269 } 1270 } else { 1271 if (s->state == BT_CONNECT) 1272 err = ECONNREFUSED; 1273 else 1274 err = ECONNRESET; 1275 1276 s = rfcomm_session_close(s, err); 1277 } 1278 return s; 1279} 1280 1281static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s, 1282 u8 dlci) 1283{ 1284 int err = 0; 1285 1286 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1287 1288 if (dlci) { 1289 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1290 if (d) { 1291 rfcomm_send_ua(s, dlci); 1292 1293 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1294 err = ECONNREFUSED; 1295 else 1296 err = ECONNRESET; 1297 1298 d->state = BT_CLOSED; 1299 __rfcomm_dlc_close(d, err); 1300 } else 1301 rfcomm_send_dm(s, dlci); 1302 1303 } else { 1304 rfcomm_send_ua(s, 0); 1305 1306 if (s->state == BT_CONNECT) 1307 err = ECONNREFUSED; 1308 else 1309 err = ECONNRESET; 1310 1311 s = rfcomm_session_close(s, err); 1312 } 1313 return s; 1314} 1315 1316void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1317{ 1318 struct sock *sk = d->session->sock->sk; 1319 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 1320 1321 BT_DBG("dlc %p", d); 1322 1323 rfcomm_send_ua(d->session, d->dlci); 1324 1325 rfcomm_dlc_clear_timer(d); 1326 1327 rfcomm_dlc_lock(d); 1328 d->state = BT_CONNECTED; 1329 d->state_change(d, 0); 1330 rfcomm_dlc_unlock(d); 1331 1332 if (d->role_switch) 1333 hci_conn_switch_role(conn->hcon, 0x00); 1334 1335 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1336} 1337 1338static void rfcomm_check_accept(struct rfcomm_dlc *d) 1339{ 1340 if (rfcomm_check_security(d)) { 1341 if (d->defer_setup) { 1342 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1343 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1344 1345 rfcomm_dlc_lock(d); 1346 d->state = BT_CONNECT2; 1347 d->state_change(d, 0); 1348 rfcomm_dlc_unlock(d); 1349 } else 1350 rfcomm_dlc_accept(d); 1351 } else { 1352 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1353 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1354 } 1355} 1356 1357static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1358{ 1359 struct rfcomm_dlc *d; 1360 u8 channel; 1361 1362 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1363 1364 if (!dlci) { 1365 rfcomm_send_ua(s, 0); 1366 1367 if (s->state == BT_OPEN) { 1368 s->state = BT_CONNECTED; 1369 rfcomm_process_connect(s); 1370 } 1371 return 0; 1372 } 1373 1374 /* Check if DLC exists */ 1375 d = rfcomm_dlc_get(s, dlci); 1376 if (d) { 1377 if (d->state == BT_OPEN) { 1378 /* DLC was previously opened by PN request */ 1379 rfcomm_check_accept(d); 1380 } 1381 return 0; 1382 } 1383 1384 /* Notify socket layer about incoming connection */ 1385 channel = __srv_channel(dlci); 1386 if (rfcomm_connect_ind(s, channel, &d)) { 1387 d->dlci = dlci; 1388 d->addr = __addr(s->initiator, dlci); 1389 rfcomm_dlc_link(s, d); 1390 1391 rfcomm_check_accept(d); 1392 } else { 1393 rfcomm_send_dm(s, dlci); 1394 } 1395 1396 return 0; 1397} 1398 1399static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) 1400{ 1401 struct rfcomm_session *s = d->session; 1402 1403 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d", 1404 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits); 1405 1406 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) || 1407 pn->flow_ctrl == 0xe0) { 1408 d->cfc = RFCOMM_CFC_ENABLED; 1409 d->tx_credits = pn->credits; 1410 } else { 1411 d->cfc = RFCOMM_CFC_DISABLED; 1412 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1413 } 1414 1415 if (s->cfc == RFCOMM_CFC_UNKNOWN) 1416 s->cfc = d->cfc; 1417 1418 d->priority = pn->priority; 1419 1420 d->mtu = __le16_to_cpu(pn->mtu); 1421 1422 if (cr && d->mtu > s->mtu) 1423 d->mtu = s->mtu; 1424 1425 return 0; 1426} 1427 1428static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1429{ 1430 struct rfcomm_pn *pn = (void *) skb->data; 1431 struct rfcomm_dlc *d; 1432 u8 dlci = pn->dlci; 1433 1434 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1435 1436 if (!dlci) 1437 return 0; 1438 1439 d = rfcomm_dlc_get(s, dlci); 1440 if (d) { 1441 if (cr) { 1442 /* PN request */ 1443 rfcomm_apply_pn(d, cr, pn); 1444 rfcomm_send_pn(s, 0, d); 1445 } else { 1446 /* PN response */ 1447 switch (d->state) { 1448 case BT_CONFIG: 1449 rfcomm_apply_pn(d, cr, pn); 1450 1451 d->state = BT_CONNECT; 1452 rfcomm_send_sabm(s, d->dlci); 1453 break; 1454 } 1455 } 1456 } else { 1457 u8 channel = __srv_channel(dlci); 1458 1459 if (!cr) 1460 return 0; 1461 1462 /* PN request for non existing DLC. 1463 * Assume incoming connection. */ 1464 if (rfcomm_connect_ind(s, channel, &d)) { 1465 d->dlci = dlci; 1466 d->addr = __addr(s->initiator, dlci); 1467 rfcomm_dlc_link(s, d); 1468 1469 rfcomm_apply_pn(d, cr, pn); 1470 1471 d->state = BT_OPEN; 1472 rfcomm_send_pn(s, 0, d); 1473 } else { 1474 rfcomm_send_dm(s, dlci); 1475 } 1476 } 1477 return 0; 1478} 1479 1480static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) 1481{ 1482 struct rfcomm_rpn *rpn = (void *) skb->data; 1483 u8 dlci = __get_dlci(rpn->dlci); 1484 1485 u8 bit_rate = 0; 1486 u8 data_bits = 0; 1487 u8 stop_bits = 0; 1488 u8 parity = 0; 1489 u8 flow_ctrl = 0; 1490 u8 xon_char = 0; 1491 u8 xoff_char = 0; 1492 u16 rpn_mask = RFCOMM_RPN_PM_ALL; 1493 1494 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", 1495 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, 1496 rpn->xon_char, rpn->xoff_char, rpn->param_mask); 1497 1498 if (!cr) 1499 return 0; 1500 1501 if (len == 1) { 1502 /* This is a request, return default (according to ETSI TS 07.10) settings */ 1503 bit_rate = RFCOMM_RPN_BR_9600; 1504 data_bits = RFCOMM_RPN_DATA_8; 1505 stop_bits = RFCOMM_RPN_STOP_1; 1506 parity = RFCOMM_RPN_PARITY_NONE; 1507 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1508 xon_char = RFCOMM_RPN_XON_CHAR; 1509 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1510 goto rpn_out; 1511 } 1512 1513 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit, 1514 * no parity, no flow control lines, normal XON/XOFF chars */ 1515 1516 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) { 1517 bit_rate = rpn->bit_rate; 1518 if (bit_rate > RFCOMM_RPN_BR_230400) { 1519 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate); 1520 bit_rate = RFCOMM_RPN_BR_9600; 1521 rpn_mask ^= RFCOMM_RPN_PM_BITRATE; 1522 } 1523 } 1524 1525 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) { 1526 data_bits = __get_rpn_data_bits(rpn->line_settings); 1527 if (data_bits != RFCOMM_RPN_DATA_8) { 1528 BT_DBG("RPN data bits mismatch 0x%x", data_bits); 1529 data_bits = RFCOMM_RPN_DATA_8; 1530 rpn_mask ^= RFCOMM_RPN_PM_DATA; 1531 } 1532 } 1533 1534 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) { 1535 stop_bits = __get_rpn_stop_bits(rpn->line_settings); 1536 if (stop_bits != RFCOMM_RPN_STOP_1) { 1537 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits); 1538 stop_bits = RFCOMM_RPN_STOP_1; 1539 rpn_mask ^= RFCOMM_RPN_PM_STOP; 1540 } 1541 } 1542 1543 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) { 1544 parity = __get_rpn_parity(rpn->line_settings); 1545 if (parity != RFCOMM_RPN_PARITY_NONE) { 1546 BT_DBG("RPN parity mismatch 0x%x", parity); 1547 parity = RFCOMM_RPN_PARITY_NONE; 1548 rpn_mask ^= RFCOMM_RPN_PM_PARITY; 1549 } 1550 } 1551 1552 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) { 1553 flow_ctrl = rpn->flow_ctrl; 1554 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) { 1555 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl); 1556 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1557 rpn_mask ^= RFCOMM_RPN_PM_FLOW; 1558 } 1559 } 1560 1561 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) { 1562 xon_char = rpn->xon_char; 1563 if (xon_char != RFCOMM_RPN_XON_CHAR) { 1564 BT_DBG("RPN XON char mismatch 0x%x", xon_char); 1565 xon_char = RFCOMM_RPN_XON_CHAR; 1566 rpn_mask ^= RFCOMM_RPN_PM_XON; 1567 } 1568 } 1569 1570 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) { 1571 xoff_char = rpn->xoff_char; 1572 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) { 1573 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char); 1574 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1575 rpn_mask ^= RFCOMM_RPN_PM_XOFF; 1576 } 1577 } 1578 1579rpn_out: 1580 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits, 1581 parity, flow_ctrl, xon_char, xoff_char, rpn_mask); 1582 1583 return 0; 1584} 1585 1586static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1587{ 1588 struct rfcomm_rls *rls = (void *) skb->data; 1589 u8 dlci = __get_dlci(rls->dlci); 1590 1591 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); 1592 1593 if (!cr) 1594 return 0; 1595 1596 /* We should probably do something with this information here. But 1597 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's 1598 * mandatory to recognise and respond to RLS */ 1599 1600 rfcomm_send_rls(s, 0, dlci, rls->status); 1601 1602 return 0; 1603} 1604 1605static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1606{ 1607 struct rfcomm_msc *msc = (void *) skb->data; 1608 struct rfcomm_dlc *d; 1609 u8 dlci = __get_dlci(msc->dlci); 1610 1611 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); 1612 1613 d = rfcomm_dlc_get(s, dlci); 1614 if (!d) 1615 return 0; 1616 1617 if (cr) { 1618 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc) 1619 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1620 else 1621 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1622 1623 rfcomm_dlc_lock(d); 1624 1625 d->remote_v24_sig = msc->v24_sig; 1626 1627 if (d->modem_status) 1628 d->modem_status(d, msc->v24_sig); 1629 1630 rfcomm_dlc_unlock(d); 1631 1632 rfcomm_send_msc(s, 0, dlci, msc->v24_sig); 1633 1634 d->mscex |= RFCOMM_MSCEX_RX; 1635 } else 1636 d->mscex |= RFCOMM_MSCEX_TX; 1637 1638 return 0; 1639} 1640 1641static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb) 1642{ 1643 struct rfcomm_mcc *mcc = (void *) skb->data; 1644 u8 type, cr, len; 1645 1646 cr = __test_cr(mcc->type); 1647 type = __get_mcc_type(mcc->type); 1648 len = __get_mcc_len(mcc->len); 1649 1650 BT_DBG("%p type 0x%x cr %d", s, type, cr); 1651 1652 skb_pull(skb, 2); 1653 1654 switch (type) { 1655 case RFCOMM_PN: 1656 rfcomm_recv_pn(s, cr, skb); 1657 break; 1658 1659 case RFCOMM_RPN: 1660 rfcomm_recv_rpn(s, cr, len, skb); 1661 break; 1662 1663 case RFCOMM_RLS: 1664 rfcomm_recv_rls(s, cr, skb); 1665 break; 1666 1667 case RFCOMM_MSC: 1668 rfcomm_recv_msc(s, cr, skb); 1669 break; 1670 1671 case RFCOMM_FCOFF: 1672 if (cr) { 1673 set_bit(RFCOMM_TX_THROTTLED, &s->flags); 1674 rfcomm_send_fcoff(s, 0); 1675 } 1676 break; 1677 1678 case RFCOMM_FCON: 1679 if (cr) { 1680 clear_bit(RFCOMM_TX_THROTTLED, &s->flags); 1681 rfcomm_send_fcon(s, 0); 1682 } 1683 break; 1684 1685 case RFCOMM_TEST: 1686 if (cr) 1687 rfcomm_send_test(s, 0, skb->data, skb->len); 1688 break; 1689 1690 case RFCOMM_NSC: 1691 break; 1692 1693 default: 1694 BT_ERR("Unknown control type 0x%02x", type); 1695 rfcomm_send_nsc(s, cr, type); 1696 break; 1697 } 1698 return 0; 1699} 1700 1701static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb) 1702{ 1703 struct rfcomm_dlc *d; 1704 1705 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf); 1706 1707 d = rfcomm_dlc_get(s, dlci); 1708 if (!d) { 1709 rfcomm_send_dm(s, dlci); 1710 goto drop; 1711 } 1712 1713 if (pf && d->cfc) { 1714 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1); 1715 1716 d->tx_credits += credits; 1717 if (d->tx_credits) 1718 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1719 } 1720 1721 if (skb->len && d->state == BT_CONNECTED) { 1722 rfcomm_dlc_lock(d); 1723 d->rx_credits--; 1724 d->data_ready(d, skb); 1725 rfcomm_dlc_unlock(d); 1726 return 0; 1727 } 1728 1729drop: 1730 kfree_skb(skb); 1731 return 0; 1732} 1733 1734static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s, 1735 struct sk_buff *skb) 1736{ 1737 struct rfcomm_hdr *hdr = (void *) skb->data; 1738 u8 type, dlci, fcs; 1739 1740 if (!s) { 1741 /* no session, so free socket data */ 1742 kfree_skb(skb); 1743 return s; 1744 } 1745 1746 dlci = __get_dlci(hdr->addr); 1747 type = __get_type(hdr->ctrl); 1748 1749 /* Trim FCS */ 1750 skb->len--; skb->tail--; 1751 fcs = *(u8 *)skb_tail_pointer(skb); 1752 1753 if (__check_fcs(skb->data, type, fcs)) { 1754 BT_ERR("bad checksum in packet"); 1755 kfree_skb(skb); 1756 return s; 1757 } 1758 1759 if (__test_ea(hdr->len)) 1760 skb_pull(skb, 3); 1761 else 1762 skb_pull(skb, 4); 1763 1764 switch (type) { 1765 case RFCOMM_SABM: 1766 if (__test_pf(hdr->ctrl)) 1767 rfcomm_recv_sabm(s, dlci); 1768 break; 1769 1770 case RFCOMM_DISC: 1771 if (__test_pf(hdr->ctrl)) 1772 s = rfcomm_recv_disc(s, dlci); 1773 break; 1774 1775 case RFCOMM_UA: 1776 if (__test_pf(hdr->ctrl)) 1777 s = rfcomm_recv_ua(s, dlci); 1778 break; 1779 1780 case RFCOMM_DM: 1781 s = rfcomm_recv_dm(s, dlci); 1782 break; 1783 1784 case RFCOMM_UIH: 1785 if (dlci) { 1786 rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb); 1787 return s; 1788 } 1789 rfcomm_recv_mcc(s, skb); 1790 break; 1791 1792 default: 1793 BT_ERR("Unknown packet type 0x%02x", type); 1794 break; 1795 } 1796 kfree_skb(skb); 1797 return s; 1798} 1799 1800/* ---- Connection and data processing ---- */ 1801 1802static void rfcomm_process_connect(struct rfcomm_session *s) 1803{ 1804 struct rfcomm_dlc *d, *n; 1805 1806 BT_DBG("session %p state %ld", s, s->state); 1807 1808 list_for_each_entry_safe(d, n, &s->dlcs, list) { 1809 if (d->state == BT_CONFIG) { 1810 d->mtu = s->mtu; 1811 if (rfcomm_check_security(d)) { 1812 rfcomm_send_pn(s, 1, d); 1813 } else { 1814 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1815 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1816 } 1817 } 1818 } 1819} 1820 1821/* Send data queued for the DLC. 1822 * Return number of frames left in the queue. 1823 */ 1824static int rfcomm_process_tx(struct rfcomm_dlc *d) 1825{ 1826 struct sk_buff *skb; 1827 int err; 1828 1829 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d", 1830 d, d->state, d->cfc, d->rx_credits, d->tx_credits); 1831 1832 /* Send pending MSC */ 1833 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags)) 1834 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1835 1836 if (d->cfc) { 1837 /* CFC enabled. 1838 * Give them some credits */ 1839 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) && 1840 d->rx_credits <= (d->cfc >> 2)) { 1841 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits); 1842 d->rx_credits = d->cfc; 1843 } 1844 } else { 1845 /* CFC disabled. 1846 * Give ourselves some credits */ 1847 d->tx_credits = 5; 1848 } 1849 1850 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 1851 return skb_queue_len(&d->tx_queue); 1852 1853 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1854 err = rfcomm_send_frame(d->session, skb->data, skb->len); 1855 if (err < 0) { 1856 skb_queue_head(&d->tx_queue, skb); 1857 break; 1858 } 1859 kfree_skb(skb); 1860 d->tx_credits--; 1861 } 1862 1863 if (d->cfc && !d->tx_credits) { 1864 /* We're out of TX credits. 1865 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */ 1866 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1867 } 1868 1869 return skb_queue_len(&d->tx_queue); 1870} 1871 1872static void rfcomm_process_dlcs(struct rfcomm_session *s) 1873{ 1874 struct rfcomm_dlc *d, *n; 1875 1876 BT_DBG("session %p state %ld", s, s->state); 1877 1878 list_for_each_entry_safe(d, n, &s->dlcs, list) { 1879 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) { 1880 __rfcomm_dlc_close(d, ETIMEDOUT); 1881 continue; 1882 } 1883 1884 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) { 1885 __rfcomm_dlc_close(d, ECONNREFUSED); 1886 continue; 1887 } 1888 1889 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) { 1890 rfcomm_dlc_clear_timer(d); 1891 if (d->out) { 1892 rfcomm_send_pn(s, 1, d); 1893 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1894 } else { 1895 if (d->defer_setup) { 1896 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1897 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1898 1899 rfcomm_dlc_lock(d); 1900 d->state = BT_CONNECT2; 1901 d->state_change(d, 0); 1902 rfcomm_dlc_unlock(d); 1903 } else 1904 rfcomm_dlc_accept(d); 1905 } 1906 continue; 1907 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1908 rfcomm_dlc_clear_timer(d); 1909 if (!d->out) 1910 rfcomm_send_dm(s, d->dlci); 1911 else 1912 d->state = BT_CLOSED; 1913 __rfcomm_dlc_close(d, ECONNREFUSED); 1914 continue; 1915 } 1916 1917 if (test_bit(RFCOMM_SEC_PENDING, &d->flags)) 1918 continue; 1919 1920 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1921 continue; 1922 1923 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) && 1924 d->mscex == RFCOMM_MSCEX_OK) 1925 rfcomm_process_tx(d); 1926 } 1927} 1928 1929static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s) 1930{ 1931 struct socket *sock = s->sock; 1932 struct sock *sk = sock->sk; 1933 struct sk_buff *skb; 1934 1935 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue)); 1936 1937 /* Get data directly from socket receive queue without copying it. */ 1938 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 1939 skb_orphan(skb); 1940 if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) { 1941 s = rfcomm_recv_frame(s, skb); 1942 if (!s) 1943 break; 1944 } else { 1945 kfree_skb(skb); 1946 } 1947 } 1948 1949 if (s && (sk->sk_state == BT_CLOSED)) 1950 s = rfcomm_session_close(s, sk->sk_err); 1951 1952 return s; 1953} 1954 1955static void rfcomm_accept_connection(struct rfcomm_session *s) 1956{ 1957 struct socket *sock = s->sock, *nsock; 1958 int err; 1959 1960 /* Fast check for a new connection. 1961 * Avoids unnesesary socket allocations. */ 1962 if (list_empty(&bt_sk(sock->sk)->accept_q)) 1963 return; 1964 1965 BT_DBG("session %p", s); 1966 1967 err = kernel_accept(sock, &nsock, O_NONBLOCK); 1968 if (err < 0) 1969 return; 1970 1971 /* Set our callbacks */ 1972 nsock->sk->sk_data_ready = rfcomm_l2data_ready; 1973 nsock->sk->sk_state_change = rfcomm_l2state_change; 1974 1975 s = rfcomm_session_add(nsock, BT_OPEN); 1976 if (s) { 1977 /* We should adjust MTU on incoming sessions. 1978 * L2CAP MTU minus UIH header and FCS. */ 1979 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu, 1980 l2cap_pi(nsock->sk)->chan->imtu) - 5; 1981 1982 rfcomm_schedule(); 1983 } else 1984 sock_release(nsock); 1985} 1986 1987static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s) 1988{ 1989 struct sock *sk = s->sock->sk; 1990 1991 BT_DBG("%p state %ld", s, s->state); 1992 1993 switch (sk->sk_state) { 1994 case BT_CONNECTED: 1995 s->state = BT_CONNECT; 1996 1997 /* We can adjust MTU on outgoing sessions. 1998 * L2CAP MTU minus UIH header and FCS. */ 1999 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5; 2000 2001 rfcomm_send_sabm(s, 0); 2002 break; 2003 2004 case BT_CLOSED: 2005 s = rfcomm_session_close(s, sk->sk_err); 2006 break; 2007 } 2008 return s; 2009} 2010 2011static void rfcomm_process_sessions(void) 2012{ 2013 struct rfcomm_session *s, *n; 2014 2015 rfcomm_lock(); 2016 2017 list_for_each_entry_safe(s, n, &session_list, list) { 2018 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { 2019 s->state = BT_DISCONN; 2020 rfcomm_send_disc(s, 0); 2021 continue; 2022 } 2023 2024 switch (s->state) { 2025 case BT_LISTEN: 2026 rfcomm_accept_connection(s); 2027 continue; 2028 2029 case BT_BOUND: 2030 s = rfcomm_check_connection(s); 2031 break; 2032 2033 default: 2034 s = rfcomm_process_rx(s); 2035 break; 2036 } 2037 2038 if (s) 2039 rfcomm_process_dlcs(s); 2040 } 2041 2042 rfcomm_unlock(); 2043} 2044 2045static int rfcomm_add_listener(bdaddr_t *ba) 2046{ 2047 struct sockaddr_l2 addr; 2048 struct socket *sock; 2049 struct sock *sk; 2050 struct rfcomm_session *s; 2051 int err = 0; 2052 2053 /* Create socket */ 2054 err = rfcomm_l2sock_create(&sock); 2055 if (err < 0) { 2056 BT_ERR("Create socket failed %d", err); 2057 return err; 2058 } 2059 2060 /* Bind socket */ 2061 bacpy(&addr.l2_bdaddr, ba); 2062 addr.l2_family = AF_BLUETOOTH; 2063 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM); 2064 addr.l2_cid = 0; 2065 addr.l2_bdaddr_type = BDADDR_BREDR; 2066 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 2067 if (err < 0) { 2068 BT_ERR("Bind failed %d", err); 2069 goto failed; 2070 } 2071 2072 /* Set L2CAP options */ 2073 sk = sock->sk; 2074 lock_sock(sk); 2075 /* Set MTU to 0 so L2CAP can auto select the MTU */ 2076 l2cap_pi(sk)->chan->imtu = 0; 2077 release_sock(sk); 2078 2079 /* Start listening on the socket */ 2080 err = kernel_listen(sock, 10); 2081 if (err) { 2082 BT_ERR("Listen failed %d", err); 2083 goto failed; 2084 } 2085 2086 /* Add listening session */ 2087 s = rfcomm_session_add(sock, BT_LISTEN); 2088 if (!s) { 2089 err = -ENOMEM; 2090 goto failed; 2091 } 2092 2093 return 0; 2094failed: 2095 sock_release(sock); 2096 return err; 2097} 2098 2099static void rfcomm_kill_listener(void) 2100{ 2101 struct rfcomm_session *s, *n; 2102 2103 BT_DBG(""); 2104 2105 list_for_each_entry_safe(s, n, &session_list, list) 2106 rfcomm_session_del(s); 2107} 2108 2109static int rfcomm_run(void *unused) 2110{ 2111 DEFINE_WAIT_FUNC(wait, woken_wake_function); 2112 BT_DBG(""); 2113 2114 set_user_nice(current, -10); 2115 2116 rfcomm_add_listener(BDADDR_ANY); 2117 2118 add_wait_queue(&rfcomm_wq, &wait); 2119 while (!kthread_should_stop()) { 2120 2121 /* Process stuff */ 2122 rfcomm_process_sessions(); 2123 2124 wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT); 2125 } 2126 remove_wait_queue(&rfcomm_wq, &wait); 2127 2128 rfcomm_kill_listener(); 2129 2130 return 0; 2131} 2132 2133static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2134{ 2135 struct rfcomm_session *s; 2136 struct rfcomm_dlc *d, *n; 2137 2138 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt); 2139 2140 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst); 2141 if (!s) 2142 return; 2143 2144 list_for_each_entry_safe(d, n, &s->dlcs, list) { 2145 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) { 2146 rfcomm_dlc_clear_timer(d); 2147 if (status || encrypt == 0x00) { 2148 set_bit(RFCOMM_ENC_DROP, &d->flags); 2149 continue; 2150 } 2151 } 2152 2153 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) { 2154 if (d->sec_level == BT_SECURITY_MEDIUM) { 2155 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2156 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2157 continue; 2158 } else if (d->sec_level == BT_SECURITY_HIGH || 2159 d->sec_level == BT_SECURITY_FIPS) { 2160 set_bit(RFCOMM_ENC_DROP, &d->flags); 2161 continue; 2162 } 2163 } 2164 2165 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2166 continue; 2167 2168 if (!status && hci_conn_check_secure(conn, d->sec_level)) 2169 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2170 else 2171 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2172 } 2173 2174 rfcomm_schedule(); 2175} 2176 2177static struct hci_cb rfcomm_cb = { 2178 .name = "RFCOMM", 2179 .security_cfm = rfcomm_security_cfm 2180}; 2181 2182static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x) 2183{ 2184 struct rfcomm_session *s; 2185 2186 rfcomm_lock(); 2187 2188 list_for_each_entry(s, &session_list, list) { 2189 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan; 2190 struct rfcomm_dlc *d; 2191 list_for_each_entry(d, &s->dlcs, list) { 2192 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n", 2193 &chan->src, &chan->dst, 2194 d->state, d->dlci, d->mtu, 2195 d->rx_credits, d->tx_credits); 2196 } 2197 } 2198 2199 rfcomm_unlock(); 2200 2201 return 0; 2202} 2203 2204DEFINE_SHOW_ATTRIBUTE(rfcomm_dlc_debugfs); 2205 2206static struct dentry *rfcomm_dlc_debugfs; 2207 2208/* ---- Initialization ---- */ 2209static int __init rfcomm_init(void) 2210{ 2211 int err; 2212 2213 hci_register_cb(&rfcomm_cb); 2214 2215 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd"); 2216 if (IS_ERR(rfcomm_thread)) { 2217 err = PTR_ERR(rfcomm_thread); 2218 goto unregister; 2219 } 2220 2221 err = rfcomm_init_ttys(); 2222 if (err < 0) 2223 goto stop; 2224 2225 err = rfcomm_init_sockets(); 2226 if (err < 0) 2227 goto cleanup; 2228 2229 BT_INFO("RFCOMM ver %s", VERSION); 2230 2231 if (IS_ERR_OR_NULL(bt_debugfs)) 2232 return 0; 2233 2234 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444, 2235 bt_debugfs, NULL, 2236 &rfcomm_dlc_debugfs_fops); 2237 2238 return 0; 2239 2240cleanup: 2241 rfcomm_cleanup_ttys(); 2242 2243stop: 2244 kthread_stop(rfcomm_thread); 2245 2246unregister: 2247 hci_unregister_cb(&rfcomm_cb); 2248 2249 return err; 2250} 2251 2252static void __exit rfcomm_exit(void) 2253{ 2254 debugfs_remove(rfcomm_dlc_debugfs); 2255 2256 hci_unregister_cb(&rfcomm_cb); 2257 2258 kthread_stop(rfcomm_thread); 2259 2260 rfcomm_cleanup_ttys(); 2261 2262 rfcomm_cleanup_sockets(); 2263} 2264 2265module_init(rfcomm_init); 2266module_exit(rfcomm_exit); 2267 2268module_param(disable_cfc, bool, 0644); 2269MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control"); 2270 2271module_param(channel_mtu, int, 0644); 2272MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel"); 2273 2274module_param(l2cap_ertm, bool, 0644); 2275MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection"); 2276 2277MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2278MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION); 2279MODULE_VERSION(VERSION); 2280MODULE_LICENSE("GPL"); 2281MODULE_ALIAS("bt-proto-3"); 2282