net/bluetooth/rfcomm/core.c

   1 /*
   2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
   4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License version 2 as
   8    published by the Free Software Foundation;
   9
  10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  18
  19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  21    SOFTWARE IS DISCLAIMED.
  22 */
  23
  24 /*
  25  * Bluetooth RFCOMM core.
  26  */
  27
  28 #include <linux/module.h>
  29 #include <linux/errno.h>
  30 #include <linux/kernel.h>
  31 #include <linux/sched.h>
  32 #include <linux/signal.h>
  33 #include <linux/init.h>
  34 #include <linux/wait.h>
  35 #include <linux/device.h>
  36 #include <linux/debugfs.h>
  37 #include <linux/seq_file.h>
  38 #include <linux/net.h>
  39 #include <linux/mutex.h>
  40 #include <linux/kthread.h>
  41 #include <linux/slab.h>
  42
  43 #include <net/sock.h>
  44 #include <linux/uaccess.h>
  45 #include <asm/unaligned.h>
  46
  47 #include <net/bluetooth/bluetooth.h>
  48 #include <net/bluetooth/hci_core.h>
  49 #include <net/bluetooth/l2cap.h>
  50 #include <net/bluetooth/rfcomm.h>
  51
  52 #define VERSION "1.11"
  53
  54 static int disable_cfc;
  55 static int l2cap_ertm;
  56 static int channel_mtu = -1;
  57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
  58
  59 static struct task_struct *rfcomm_thread;
  60
  61 static DEFINE_MUTEX(rfcomm_mutex);
  62 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
  63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
  64
  65
  66 static LIST_HEAD(session_list);
  67
  68 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len,
  69                                                         u32 priority);
  70 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
  71 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
  72 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
  73 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
  74 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
  75 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
  76 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
  77 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
  78 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
  79
  80 static void rfcomm_process_connect(struct rfcomm_session *s);
  81
  82 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
  83                                                         bdaddr_t *dst,
  84                                                         u8 sec_level,
  85                                                         int *err);
  86 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
  87 static void rfcomm_session_del(struct rfcomm_session *s);
  88
  89 /* ---- RFCOMM frame parsing macros ---- */
  90 #define __get_dlci(b)     ((b & 0xfc) >> 2)
  91 #define __get_channel(b)  ((b & 0xf8) >> 3)
  92 #define __get_dir(b)      ((b & 0x04) >> 2)
  93 #define __get_type(b)     ((b & 0xef))
  94
  95 #define __test_ea(b)      ((b & 0x01))
  96 #define __test_cr(b)      ((b & 0x02))
  97 #define __test_pf(b)      ((b & 0x10))
  98
  99 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
 100 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
 101 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
 102 #define __srv_channel(dlci)    (dlci >> 1)
 103 #define __dir(dlci)            (dlci & 0x01)
 104
 105 #define __len8(len)       (((len) << 1) | 1)
 106 #define __len16(len)      ((len) << 1)
 107
 108 /* MCC macros */
 109 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
 110 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
 111 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
 112
 113 /* RPN macros */
 114 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
 115 #define __get_rpn_data_bits(line) ((line) & 0x3)
 116 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
 117 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
 118
 119 static inline void rfcomm_schedule(void)
 120 {
 121         if (!rfcomm_thread)
 122                 return;
 123         wake_up_process(rfcomm_thread);
 124 }
 125
 126 static inline void rfcomm_session_put(struct rfcomm_session *s)
 127 {
 128         if (atomic_dec_and_test(&s->refcnt))
 129                 rfcomm_session_del(s);
 130 }
 131
 132 /* ---- RFCOMM FCS computation ---- */
 133
 134 /* reversed, 8-bit, poly=0x07 */
 135 static unsigned char rfcomm_crc_table[256] = {
 136         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
 137         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
 138         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
 139         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
 140
 141         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
 142         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
 143         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
 144         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
 145
 146         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
 147         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
 148         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
 149         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
 150
 151         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
 152         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
 153         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
 154         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
 155
 156         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
 157         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
 158         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
 159         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
 160
 161         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
 162         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
 163         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
 164         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
 165
 166         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
 167         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
 168         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
 169         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
 170
 171         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
 172         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
 173         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
 174         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
 175 };
 176
 177 /* CRC on 2 bytes */
 178 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
 179
 180 /* FCS on 2 bytes */
 181 static inline u8 __fcs(u8 *data)
 182 {
 183         return 0xff - __crc(data);
 184 }
 185
 186 /* FCS on 3 bytes */
 187 static inline u8 __fcs2(u8 *data)
 188 {
 189         return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
 190 }
 191
 192 /* Check FCS */
 193 static inline int __check_fcs(u8 *data, int type, u8 fcs)
 194 {
 195         u8 f = __crc(data);
 196
 197         if (type != RFCOMM_UIH)
 198                 f = rfcomm_crc_table[f ^ data[2]];
 199
 200         return rfcomm_crc_table[f ^ fcs] != 0xcf;
 201 }
 202
 203 /* ---- L2CAP callbacks ---- */
 204 static void rfcomm_l2state_change(struct sock *sk)
 205 {
 206         BT_DBG("%p state %d", sk, sk->sk_state);
 207         rfcomm_schedule();
 208 }
 209
 210 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
 211 {
 212         BT_DBG("%p bytes %d", sk, bytes);
 213         rfcomm_schedule();
 214 }
 215
 216 static int rfcomm_l2sock_create(struct socket **sock)
 217 {
 218         int err;
 219
 220         BT_DBG("");
 221
 222         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
 223         if (!err) {
 224                 struct sock *sk = (*sock)->sk;
 225                 sk->sk_data_ready   = rfcomm_l2data_ready;
 226                 sk->sk_state_change = rfcomm_l2state_change;
 227         }
 228         return err;
 229 }
 230
 231 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
 232 {
 233         struct sock *sk = d->session->sock->sk;
 234         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
 235
 236         __u8 auth_type;
 237
 238         switch (d->sec_level) {
 239         case BT_SECURITY_HIGH:
 240                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
 241                 break;
 242         case BT_SECURITY_MEDIUM:
 243                 auth_type = HCI_AT_GENERAL_BONDING;
 244                 break;
 245         default:
 246                 auth_type = HCI_AT_NO_BONDING;
 247                 break;
 248         }
 249
 250         return hci_conn_security(conn->hcon, d->sec_level, auth_type);
 251 }
 252
 253 static void rfcomm_session_timeout(unsigned long arg)
 254 {
 255         struct rfcomm_session *s = (void *) arg;
 256
 257         BT_DBG("session %p state %ld", s, s->state);
 258
 259         set_bit(RFCOMM_TIMED_OUT, &s->flags);
 260         rfcomm_schedule();
 261 }
 262
 263 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
 264 {
 265         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
 266
 267         if (!mod_timer(&s->timer, jiffies + timeout))
 268                 rfcomm_session_hold(s);
 269 }
 270
 271 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
 272 {
 273         BT_DBG("session %p state %ld", s, s->state);
 274
 275         if (timer_pending(&s->timer) && del_timer(&s->timer))
 276                 rfcomm_session_put(s);
 277 }
 278
 279 /* ---- RFCOMM DLCs ---- */
 280 static void rfcomm_dlc_timeout(unsigned long arg)
 281 {
 282         struct rfcomm_dlc *d = (void *) arg;
 283
 284         BT_DBG("dlc %p state %ld", d, d->state);
 285
 286         set_bit(RFCOMM_TIMED_OUT, &d->flags);
 287         rfcomm_dlc_put(d);
 288         rfcomm_schedule();
 289 }
 290
 291 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
 292 {
 293         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
 294
 295         if (!mod_timer(&d->timer, jiffies + timeout))
 296                 rfcomm_dlc_hold(d);
 297 }
 298
 299 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
 300 {
 301         BT_DBG("dlc %p state %ld", d, d->state);
 302
 303         if (timer_pending(&d->timer) && del_timer(&d->timer))
 304                 rfcomm_dlc_put(d);
 305 }
 306
 307 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
 308 {
 309         BT_DBG("%p", d);
 310
 311         d->state      = BT_OPEN;
 312         d->flags      = 0;
 313         d->mscex      = 0;
 314         d->sec_level  = BT_SECURITY_LOW;
 315         d->mtu        = RFCOMM_DEFAULT_MTU;
 316         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
 317
 318         d->cfc        = RFCOMM_CFC_DISABLED;
 319         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
 320 }
 321
 322 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
 323 {
 324         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
 325
 326         if (!d)
 327                 return NULL;
 328
 329         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
 330
 331         skb_queue_head_init(&d->tx_queue);
 332         spin_lock_init(&d->lock);
 333         atomic_set(&d->refcnt, 1);
 334
 335         rfcomm_dlc_clear_state(d);
 336
 337         BT_DBG("%p", d);
 338
 339         return d;
 340 }
 341
 342 void rfcomm_dlc_free(struct rfcomm_dlc *d)
 343 {
 344         BT_DBG("%p", d);
 345
 346         skb_queue_purge(&d->tx_queue);
 347         kfree(d);
 348 }
 349
 350 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
 351 {
 352         BT_DBG("dlc %p session %p", d, s);
 353
 354         rfcomm_session_hold(s);
 355
 356         rfcomm_session_clear_timer(s);
 357         rfcomm_dlc_hold(d);
 358         list_add(&d->list, &s->dlcs);
 359         d->session = s;
 360 }
 361
 362 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
 363 {
 364         struct rfcomm_session *s = d->session;
 365
 366         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
 367
 368         list_del(&d->list);
 369         d->session = NULL;
 370         rfcomm_dlc_put(d);
 371
 372         if (list_empty(&s->dlcs))
 373                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
 374
 375         rfcomm_session_put(s);
 376 }
 377
 378 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
 379 {
 380         struct rfcomm_dlc *d;
 381
 382         list_for_each_entry(d, &s->dlcs, list)
 383                 if (d->dlci == dlci)
 384                         return d;
 385
 386         return NULL;
 387 }
 388
 389 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
 390 {
 391         struct rfcomm_session *s;
 392         int err = 0;
 393         u8 dlci;
 394
 395         BT_DBG("dlc %p state %ld %s %s channel %d",
 396                         d, d->state, batostr(src), batostr(dst), channel);
 397
 398         if (channel < 1 || channel > 30)
 399                 return -EINVAL;
 400
 401         if (d->state != BT_OPEN && d->state != BT_CLOSED)
 402                 return 0;
 403
 404         s = rfcomm_session_get(src, dst);
 405         if (!s) {
 406                 s = rfcomm_session_create(src, dst, d->sec_level, &err);
 407                 if (!s)
 408                         return err;
 409         }
 410
 411         dlci = __dlci(!s->initiator, channel);
 412
 413         /* Check if DLCI already exists */
 414         if (rfcomm_dlc_get(s, dlci))
 415                 return -EBUSY;
 416
 417         rfcomm_dlc_clear_state(d);
 418
 419         d->dlci     = dlci;
 420         d->addr     = __addr(s->initiator, dlci);
 421         d->priority = 7;
 422
 423         d->state = BT_CONFIG;
 424         rfcomm_dlc_link(s, d);
 425
 426         d->out = 1;
 427
 428         d->mtu = s->mtu;
 429         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
 430
 431         if (s->state == BT_CONNECTED) {
 432                 if (rfcomm_check_security(d))
 433                         rfcomm_send_pn(s, 1, d);
 434                 else
 435                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
 436         }
 437
 438         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
 439
 440         return 0;
 441 }
 442
 443 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
 444 {
 445         int r;
 446
 447         rfcomm_lock();
 448
 449         r = __rfcomm_dlc_open(d, src, dst, channel);
 450
 451         rfcomm_unlock();
 452         return r;
 453 }
 454
 455 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 456 {
 457         struct rfcomm_session *s = d->session;
 458         if (!s)
 459                 return 0;
 460
 461         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
 462                         d, d->state, d->dlci, err, s);
 463
 464         switch (d->state) {
 465         case BT_CONNECT:
 466         case BT_CONFIG:
 467                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
 468                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
 469                         rfcomm_schedule();
 470                         break;
 471                 }
 472                 /* Fall through */
 473
 474         case BT_CONNECTED:
 475                 d->state = BT_DISCONN;
 476                 if (skb_queue_empty(&d->tx_queue)) {
 477                         rfcomm_send_disc(s, d->dlci);
 478                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
 479                 } else {
 480                         rfcomm_queue_disc(d);
 481                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
 482                 }
 483                 break;
 484
 485         case BT_OPEN:
 486         case BT_CONNECT2:
 487                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
 488                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
 489                         rfcomm_schedule();
 490                         break;
 491                 }
 492                 /* Fall through */
 493
 494         default:
 495                 rfcomm_dlc_clear_timer(d);
 496
 497                 rfcomm_dlc_lock(d);
 498                 d->state = BT_CLOSED;
 499                 d->state_change(d, err);
 500                 rfcomm_dlc_unlock(d);
 501
 502                 skb_queue_purge(&d->tx_queue);
 503                 rfcomm_dlc_unlink(d);
 504         }
 505
 506         return 0;
 507 }
 508
 509 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 510 {
 511         int r;
 512
 513         rfcomm_lock();
 514
 515         r = __rfcomm_dlc_close(d, err);
 516
 517         rfcomm_unlock();
 518         return r;
 519 }
 520
 521 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
 522 {
 523         int len = skb->len;
 524
 525         if (d->state != BT_CONNECTED)
 526                 return -ENOTCONN;
 527
 528         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
 529
 530         if (len > d->mtu)
 531                 return -EINVAL;
 532
 533         rfcomm_make_uih(skb, d->addr);
 534         skb_queue_tail(&d->tx_queue, skb);
 535
 536         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
 537                 rfcomm_schedule();
 538         return len;
 539 }
 540
 541 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
 542 {
 543         BT_DBG("dlc %p state %ld", d, d->state);
 544
 545         if (!d->cfc) {
 546                 d->v24_sig |= RFCOMM_V24_FC;
 547                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
 548         }
 549         rfcomm_schedule();
 550 }
 551
 552 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
 553 {
 554         BT_DBG("dlc %p state %ld", d, d->state);
 555
 556         if (!d->cfc) {
 557                 d->v24_sig &= ~RFCOMM_V24_FC;
 558                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
 559         }
 560         rfcomm_schedule();
 561 }
 562
 563 /*
 564    Set/get modem status functions use _local_ status i.e. what we report
 565    to the other side.
 566    Remote status is provided by dlc->modem_status() callback.
 567  */
 568 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
 569 {
 570         BT_DBG("dlc %p state %ld v24_sig 0x%x",
 571                         d, d->state, v24_sig);
 572
 573         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
 574                 v24_sig |= RFCOMM_V24_FC;
 575         else
 576                 v24_sig &= ~RFCOMM_V24_FC;
 577
 578         d->v24_sig = v24_sig;
 579
 580         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
 581                 rfcomm_schedule();
 582
 583         return 0;
 584 }
 585
 586 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
 587 {
 588         BT_DBG("dlc %p state %ld v24_sig 0x%x",
 589                         d, d->state, d->v24_sig);
 590
 591         *v24_sig = d->v24_sig;
 592         return 0;
 593 }
 594
 595 /* ---- RFCOMM sessions ---- */
 596 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
 597 {
 598         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
 599
 600         if (!s)
 601                 return NULL;
 602
 603         BT_DBG("session %p sock %p", s, sock);
 604
 605         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
 606
 607         INIT_LIST_HEAD(&s->dlcs);
 608         s->state = state;
 609         s->sock  = sock;
 610
 611         s->mtu = RFCOMM_DEFAULT_MTU;
 612         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
 613
 614         /* Do not increment module usage count for listening sessions.
 615          * Otherwise we won't be able to unload the module. */
 616         if (state != BT_LISTEN)
 617                 if (!try_module_get(THIS_MODULE)) {
 618                         kfree(s);
 619                         return NULL;
 620                 }
 621
 622         list_add(&s->list, &session_list);
 623
 624         return s;
 625 }
 626
 627 static void rfcomm_session_del(struct rfcomm_session *s)
 628 {
 629         int state = s->state;
 630
 631         BT_DBG("session %p state %ld", s, s->state);
 632
 633         list_del(&s->list);
 634
 635         if (state == BT_CONNECTED)
 636                 rfcomm_send_disc(s, 0);
 637
 638         rfcomm_session_clear_timer(s);
 639         sock_release(s->sock);
 640         kfree(s);
 641
 642         if (state != BT_LISTEN)
 643                 module_put(THIS_MODULE);
 644 }
 645
 646 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
 647 {
 648         struct rfcomm_session *s;
 649         struct list_head *p, *n;
 650         struct bt_sock *sk;
 651         list_for_each_safe(p, n, &session_list) {
 652                 s = list_entry(p, struct rfcomm_session, list);
 653                 sk = bt_sk(s->sock->sk);
 654
 655                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
 656                                 !bacmp(&sk->dst, dst))
 657                         return s;
 658         }
 659         return NULL;
 660 }
 661
 662 static void rfcomm_session_close(struct rfcomm_session *s, int err)
 663 {
 664         struct rfcomm_dlc *d;
 665         struct list_head *p, *n;
 666
 667         BT_DBG("session %p state %ld err %d", s, s->state, err);
 668
 669         rfcomm_session_hold(s);
 670
 671         s->state = BT_CLOSED;
 672
 673         /* Close all dlcs */
 674         list_for_each_safe(p, n, &s->dlcs) {
 675                 d = list_entry(p, struct rfcomm_dlc, list);
 676                 d->state = BT_CLOSED;
 677                 __rfcomm_dlc_close(d, err);
 678         }
 679
 680         rfcomm_session_clear_timer(s);
 681         rfcomm_session_put(s);
 682 }
 683
 684 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
 685                                                         bdaddr_t *dst,
 686                                                         u8 sec_level,
 687                                                         int *err)
 688 {
 689         struct rfcomm_session *s = NULL;
 690         struct sockaddr_l2 addr;
 691         struct socket *sock;
 692         struct sock *sk;
 693
 694         BT_DBG("%s %s", batostr(src), batostr(dst));
 695
 696         *err = rfcomm_l2sock_create(&sock);
 697         if (*err < 0)
 698                 return NULL;
 699
 700         bacpy(&addr.l2_bdaddr, src);
 701         addr.l2_family = AF_BLUETOOTH;
 702         addr.l2_psm    = 0;
 703         addr.l2_cid    = 0;
 704         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
 705         if (*err < 0)
 706                 goto failed;
 707
 708         /* Set L2CAP options */
 709         sk = sock->sk;
 710         lock_sock(sk);
 711         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
 712         l2cap_pi(sk)->chan->sec_level = sec_level;
 713         if (l2cap_ertm)
 714                 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
 715         release_sock(sk);
 716
 717         s = rfcomm_session_add(sock, BT_BOUND);
 718         if (!s) {
 719                 *err = -ENOMEM;
 720                 goto failed;
 721         }
 722
 723         s->initiator = 1;
 724
 725         bacpy(&addr.l2_bdaddr, dst);
 726         addr.l2_family = AF_BLUETOOTH;
 727         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
 728         addr.l2_cid    = 0;
 729         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
 730         if (*err == 0 || *err == -EINPROGRESS)
 731                 return s;
 732
 733         rfcomm_session_del(s);
 734         return NULL;
 735
 736 failed:
 737         sock_release(sock);
 738         return NULL;
 739 }
 740
 741 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
 742 {
 743         struct sock *sk = s->sock->sk;
 744         if (src)
 745                 bacpy(src, &bt_sk(sk)->src);
 746         if (dst)
 747                 bacpy(dst, &bt_sk(sk)->dst);
 748 }
 749
 750 /* ---- RFCOMM frame sending ---- */
 751 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len,
 752                                                         u32 priority)
 753 {
 754         struct socket *sock = s->sock;
 755         struct sock *sk = sock->sk;
 756         struct kvec iv = { data, len };
 757         struct msghdr msg;
 758
 759         BT_DBG("session %p len %d priority %u", s, len, priority);
 760
 761         if (sk->sk_priority != priority) {
 762                 lock_sock(sk);
 763                 sk->sk_priority = priority;
 764                 release_sock(sk);
 765         }
 766
 767         memset(&msg, 0, sizeof(msg));
 768
 769         return kernel_sendmsg(sock, &msg, &iv, 1, len);
 770 }
 771
 772 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
 773 {
 774         BT_DBG("%p cmd %u", s, cmd->ctrl);
 775
 776         return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd), HCI_PRIO_MAX);
 777 }
 778
 779 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
 780 {
 781         struct rfcomm_cmd cmd;
 782
 783         BT_DBG("%p dlci %d", s, dlci);
 784
 785         cmd.addr = __addr(s->initiator, dlci);
 786         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
 787         cmd.len  = __len8(0);
 788         cmd.fcs  = __fcs2((u8 *) &cmd);
 789
 790         return rfcomm_send_cmd(s, &cmd);
 791 }
 792
 793 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
 794 {
 795         struct rfcomm_cmd cmd;
 796
 797         BT_DBG("%p dlci %d", s, dlci);
 798
 799         cmd.addr = __addr(!s->initiator, dlci);
 800         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
 801         cmd.len  = __len8(0);
 802         cmd.fcs  = __fcs2((u8 *) &cmd);
 803
 804         return rfcomm_send_cmd(s, &cmd);
 805 }
 806
 807 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
 808 {
 809         struct rfcomm_cmd cmd;
 810
 811         BT_DBG("%p dlci %d", s, dlci);
 812
 813         cmd.addr = __addr(s->initiator, dlci);
 814         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
 815         cmd.len  = __len8(0);
 816         cmd.fcs  = __fcs2((u8 *) &cmd);
 817
 818         return rfcomm_send_cmd(s, &cmd);
 819 }
 820
 821 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
 822 {
 823         struct rfcomm_cmd *cmd;
 824         struct sk_buff *skb;
 825
 826         BT_DBG("dlc %p dlci %d", d, d->dlci);
 827
 828         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
 829         if (!skb)
 830                 return -ENOMEM;
 831
 832         skb->priority = HCI_PRIO_MAX;
 833
 834         cmd = (void *) __skb_put(skb, sizeof(*cmd));
 835         cmd->addr = d->addr;
 836         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
 837         cmd->len  = __len8(0);
 838         cmd->fcs  = __fcs2((u8 *) cmd);
 839
 840         skb_queue_tail(&d->tx_queue, skb);
 841         rfcomm_schedule();
 842         return 0;
 843 }
 844
 845 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
 846 {
 847         struct rfcomm_cmd cmd;
 848
 849         BT_DBG("%p dlci %d", s, dlci);
 850
 851         cmd.addr = __addr(!s->initiator, dlci);
 852         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
 853         cmd.len  = __len8(0);
 854         cmd.fcs  = __fcs2((u8 *) &cmd);
 855
 856         return rfcomm_send_cmd(s, &cmd);
 857 }
 858
 859 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
 860 {
 861         struct rfcomm_hdr *hdr;
 862         struct rfcomm_mcc *mcc;
 863         u8 buf[16], *ptr = buf;
 864
 865         BT_DBG("%p cr %d type %d", s, cr, type);
 866
 867         hdr = (void *) ptr; ptr += sizeof(*hdr);
 868         hdr->addr = __addr(s->initiator, 0);
 869         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 870         hdr->len  = __len8(sizeof(*mcc) + 1);
 871
 872         mcc = (void *) ptr; ptr += sizeof(*mcc);
 873         mcc->type = __mcc_type(cr, RFCOMM_NSC);
 874         mcc->len  = __len8(1);
 875
 876         /* Type that we didn't like */
 877         *ptr = __mcc_type(cr, type); ptr++;
 878
 879         *ptr = __fcs(buf); ptr++;
 880
 881         return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX);
 882 }
 883
 884 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
 885 {
 886         struct rfcomm_hdr *hdr;
 887         struct rfcomm_mcc *mcc;
 888         struct rfcomm_pn  *pn;
 889         u8 buf[16], *ptr = buf;
 890
 891         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
 892
 893         hdr = (void *) ptr; ptr += sizeof(*hdr);
 894         hdr->addr = __addr(s->initiator, 0);
 895         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 896         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
 897
 898         mcc = (void *) ptr; ptr += sizeof(*mcc);
 899         mcc->type = __mcc_type(cr, RFCOMM_PN);
 900         mcc->len  = __len8(sizeof(*pn));
 901
 902         pn = (void *) ptr; ptr += sizeof(*pn);
 903         pn->dlci        = d->dlci;
 904         pn->priority    = d->priority;
 905         pn->ack_timer   = 0;
 906         pn->max_retrans = 0;
 907
 908         if (s->cfc) {
 909                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
 910                 pn->credits = RFCOMM_DEFAULT_CREDITS;
 911         } else {
 912                 pn->flow_ctrl = 0;
 913                 pn->credits   = 0;
 914         }
 915
 916         if (cr && channel_mtu >= 0)
 917                 pn->mtu = cpu_to_le16(channel_mtu);
 918         else
 919                 pn->mtu = cpu_to_le16(d->mtu);
 920
 921         *ptr = __fcs(buf); ptr++;
 922
 923         return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX);
 924 }
 925
 926 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
 927                         u8 bit_rate, u8 data_bits, u8 stop_bits,
 928                         u8 parity, u8 flow_ctrl_settings,
 929                         u8 xon_char, u8 xoff_char, u16 param_mask)
 930 {
 931         struct rfcomm_hdr *hdr;
 932         struct rfcomm_mcc *mcc;
 933         struct rfcomm_rpn *rpn;
 934         u8 buf[16], *ptr = buf;
 935
 936         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
 937                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
 938                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
 939                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
 940
 941         hdr = (void *) ptr; ptr += sizeof(*hdr);
 942         hdr->addr = __addr(s->initiator, 0);
 943         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 944         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
 945
 946         mcc = (void *) ptr; ptr += sizeof(*mcc);
 947         mcc->type = __mcc_type(cr, RFCOMM_RPN);
 948         mcc->len  = __len8(sizeof(*rpn));
 949
 950         rpn = (void *) ptr; ptr += sizeof(*rpn);
 951         rpn->dlci          = __addr(1, dlci);
 952         rpn->bit_rate      = bit_rate;
 953         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
 954         rpn->flow_ctrl     = flow_ctrl_settings;
 955         rpn->xon_char      = xon_char;
 956         rpn->xoff_char     = xoff_char;
 957         rpn->param_mask    = cpu_to_le16(param_mask);
 958
 959         *ptr = __fcs(buf); ptr++;
 960
 961         return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX);
 962 }
 963
 964 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
 965 {
 966         struct rfcomm_hdr *hdr;
 967         struct rfcomm_mcc *mcc;
 968         struct rfcomm_rls *rls;
 969         u8 buf[16], *ptr = buf;
 970
 971         BT_DBG("%p cr %d status 0x%x", s, cr, status);
 972
 973         hdr = (void *) ptr; ptr += sizeof(*hdr);
 974         hdr->addr = __addr(s->initiator, 0);
 975         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 976         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
 977
 978         mcc = (void *) ptr; ptr += sizeof(*mcc);
 979         mcc->type = __mcc_type(cr, RFCOMM_RLS);
 980         mcc->len  = __len8(sizeof(*rls));
 981
 982         rls = (void *) ptr; ptr += sizeof(*rls);
 983         rls->dlci   = __addr(1, dlci);
 984         rls->status = status;
 985
 986         *ptr = __fcs(buf); ptr++;
 987
 988         return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX);
 989 }
 990
 991 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
 992 {
 993         struct rfcomm_hdr *hdr;
 994         struct rfcomm_mcc *mcc;
 995         struct rfcomm_msc *msc;
 996         u8 buf[16], *ptr = buf;
 997
 998         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
 999
1000         hdr = (void *) ptr; ptr += sizeof(*hdr);
1001         hdr->addr = __addr(s->initiator, 0);
1002         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1003         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
1004
1005         mcc = (void *) ptr; ptr += sizeof(*mcc);
1006         mcc->type = __mcc_type(cr, RFCOMM_MSC);
1007         mcc->len  = __len8(sizeof(*msc));
1008
1009         msc = (void *) ptr; ptr += sizeof(*msc);
1010         msc->dlci    = __addr(1, dlci);
1011         msc->v24_sig = v24_sig | 0x01;
1012
1013         *ptr = __fcs(buf); ptr++;
1014
1015         return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX);
1016 }
1017
1018 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1019 {
1020         struct rfcomm_hdr *hdr;
1021         struct rfcomm_mcc *mcc;
1022         u8 buf[16], *ptr = buf;
1023
1024         BT_DBG("%p cr %d", s, cr);
1025
1026         hdr = (void *) ptr; ptr += sizeof(*hdr);
1027         hdr->addr = __addr(s->initiator, 0);
1028         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1029         hdr->len  = __len8(sizeof(*mcc));
1030
1031         mcc = (void *) ptr; ptr += sizeof(*mcc);
1032         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1033         mcc->len  = __len8(0);
1034
1035         *ptr = __fcs(buf); ptr++;
1036
1037         return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX);
1038 }
1039
1040 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1041 {
1042         struct rfcomm_hdr *hdr;
1043         struct rfcomm_mcc *mcc;
1044         u8 buf[16], *ptr = buf;
1045
1046         BT_DBG("%p cr %d", s, cr);
1047
1048         hdr = (void *) ptr; ptr += sizeof(*hdr);
1049         hdr->addr = __addr(s->initiator, 0);
1050         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1051         hdr->len  = __len8(sizeof(*mcc));
1052
1053         mcc = (void *) ptr; ptr += sizeof(*mcc);
1054         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1055         mcc->len  = __len8(0);
1056
1057         *ptr = __fcs(buf); ptr++;
1058
1059         return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX);
1060 }
1061
1062 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1063 {
1064         struct socket *sock = s->sock;
1065         struct kvec iv[3];
1066         struct msghdr msg;
1067         unsigned char hdr[5], crc[1];
1068
1069         if (len > 125)
1070                 return -EINVAL;
1071
1072         BT_DBG("%p cr %d", s, cr);
1073
1074         hdr[0] = __addr(s->initiator, 0);
1075         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1076         hdr[2] = 0x01 | ((len + 2) << 1);
1077         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1078         hdr[4] = 0x01 | (len << 1);
1079
1080         crc[0] = __fcs(hdr);
1081
1082         iv[0].iov_base = hdr;
1083         iv[0].iov_len  = 5;
1084         iv[1].iov_base = pattern;
1085         iv[1].iov_len  = len;
1086         iv[2].iov_base = crc;
1087         iv[2].iov_len  = 1;
1088
1089         memset(&msg, 0, sizeof(msg));
1090
1091         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1092 }
1093
1094 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1095 {
1096         struct rfcomm_hdr *hdr;
1097         u8 buf[16], *ptr = buf;
1098
1099         BT_DBG("%p addr %d credits %d", s, addr, credits);
1100
1101         hdr = (void *) ptr; ptr += sizeof(*hdr);
1102         hdr->addr = addr;
1103         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1104         hdr->len  = __len8(0);
1105
1106         *ptr = credits; ptr++;
1107
1108         *ptr = __fcs(buf); ptr++;
1109
1110         return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX);
1111 }
1112
1113 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1114 {
1115         struct rfcomm_hdr *hdr;
1116         int len = skb->len;
1117         u8 *crc;
1118
1119         if (len > 127) {
1120                 hdr = (void *) skb_push(skb, 4);
1121                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1122         } else {
1123                 hdr = (void *) skb_push(skb, 3);
1124                 hdr->len = __len8(len);
1125         }
1126         hdr->addr = addr;
1127         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1128
1129         crc = skb_put(skb, 1);
1130         *crc = __fcs((void *) hdr);
1131 }
1132
1133 /* ---- RFCOMM frame reception ---- */
1134 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1135 {
1136         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1137
1138         if (dlci) {
1139                 /* Data channel */
1140                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1141                 if (!d) {
1142                         rfcomm_send_dm(s, dlci);
1143                         return 0;
1144                 }
1145
1146                 switch (d->state) {
1147                 case BT_CONNECT:
1148                         rfcomm_dlc_clear_timer(d);
1149
1150                         rfcomm_dlc_lock(d);
1151                         d->state = BT_CONNECTED;
1152                         d->state_change(d, 0);
1153                         rfcomm_dlc_unlock(d);
1154
1155                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1156                         break;
1157
1158                 case BT_DISCONN:
1159                         d->state = BT_CLOSED;
1160                         __rfcomm_dlc_close(d, 0);
1161
1162                         if (list_empty(&s->dlcs)) {
1163                                 s->state = BT_DISCONN;
1164                                 rfcomm_send_disc(s, 0);
1165                                 rfcomm_session_clear_timer(s);
1166                         }
1167
1168                         break;
1169                 }
1170         } else {
1171                 /* Control channel */
1172                 switch (s->state) {
1173                 case BT_CONNECT:
1174                         s->state = BT_CONNECTED;
1175                         rfcomm_process_connect(s);
1176                         break;
1177
1178                 case BT_DISCONN:
1179                         /* When socket is closed and we are not RFCOMM
1180                          * initiator rfcomm_process_rx already calls
1181                          * rfcomm_session_put() */
1182                         if (s->sock->sk->sk_state != BT_CLOSED)
1183                                 if (list_empty(&s->dlcs))
1184                                         rfcomm_session_put(s);
1185                         break;
1186                 }
1187         }
1188         return 0;
1189 }
1190
1191 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1192 {
1193         int err = 0;
1194
1195         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1196
1197         if (dlci) {
1198                 /* Data DLC */
1199                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1200                 if (d) {
1201                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1202                                 err = ECONNREFUSED;
1203                         else
1204                                 err = ECONNRESET;
1205
1206                         d->state = BT_CLOSED;
1207                         __rfcomm_dlc_close(d, err);
1208                 }
1209         } else {
1210                 if (s->state == BT_CONNECT)
1211                         err = ECONNREFUSED;
1212                 else
1213                         err = ECONNRESET;
1214
1215                 s->state = BT_CLOSED;
1216                 rfcomm_session_close(s, err);
1217         }
1218         return 0;
1219 }
1220
1221 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1222 {
1223         int err = 0;
1224
1225         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1226
1227         if (dlci) {
1228                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1229                 if (d) {
1230                         rfcomm_send_ua(s, dlci);
1231
1232                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1233                                 err = ECONNREFUSED;
1234                         else
1235                                 err = ECONNRESET;
1236
1237                         d->state = BT_CLOSED;
1238                         __rfcomm_dlc_close(d, err);
1239                 } else
1240                         rfcomm_send_dm(s, dlci);
1241
1242         } else {
1243                 rfcomm_send_ua(s, 0);
1244
1245                 if (s->state == BT_CONNECT)
1246                         err = ECONNREFUSED;
1247                 else
1248                         err = ECONNRESET;
1249
1250                 s->state = BT_CLOSED;
1251                 rfcomm_session_close(s, err);
1252         }
1253
1254         return 0;
1255 }
1256
1257 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1258 {
1259         struct sock *sk = d->session->sock->sk;
1260         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1261
1262         BT_DBG("dlc %p", d);
1263
1264         rfcomm_send_ua(d->session, d->dlci);
1265
1266         rfcomm_dlc_clear_timer(d);
1267
1268         rfcomm_dlc_lock(d);
1269         d->state = BT_CONNECTED;
1270         d->state_change(d, 0);
1271         rfcomm_dlc_unlock(d);
1272
1273         if (d->role_switch)
1274                 hci_conn_switch_role(conn->hcon, 0x00);
1275
1276         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1277 }
1278
1279 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1280 {
1281         if (rfcomm_check_security(d)) {
1282                 if (d->defer_setup) {
1283                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1284                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1285
1286                         rfcomm_dlc_lock(d);
1287                         d->state = BT_CONNECT2;
1288                         d->state_change(d, 0);
1289                         rfcomm_dlc_unlock(d);
1290                 } else
1291                         rfcomm_dlc_accept(d);
1292         } else {
1293                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1294                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1295         }
1296 }
1297
1298 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1299 {
1300         struct rfcomm_dlc *d;
1301         u8 channel;
1302
1303         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1304
1305         if (!dlci) {
1306                 rfcomm_send_ua(s, 0);
1307
1308                 if (s->state == BT_OPEN) {
1309                         s->state = BT_CONNECTED;
1310                         rfcomm_process_connect(s);
1311                 }
1312                 return 0;
1313         }
1314
1315         /* Check if DLC exists */
1316         d = rfcomm_dlc_get(s, dlci);
1317         if (d) {
1318                 if (d->state == BT_OPEN) {
1319                         /* DLC was previously opened by PN request */
1320                         rfcomm_check_accept(d);
1321                 }
1322                 return 0;
1323         }
1324
1325         /* Notify socket layer about incoming connection */
1326         channel = __srv_channel(dlci);
1327         if (rfcomm_connect_ind(s, channel, &d)) {
1328                 d->dlci = dlci;
1329                 d->addr = __addr(s->initiator, dlci);
1330                 rfcomm_dlc_link(s, d);
1331
1332                 rfcomm_check_accept(d);
1333         } else {
1334                 rfcomm_send_dm(s, dlci);
1335         }
1336
1337         return 0;
1338 }
1339
1340 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1341 {
1342         struct rfcomm_session *s = d->session;
1343
1344         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1345                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1346
1347         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1348                                                 pn->flow_ctrl == 0xe0) {
1349                 d->cfc = RFCOMM_CFC_ENABLED;
1350                 d->tx_credits = pn->credits;
1351         } else {
1352                 d->cfc = RFCOMM_CFC_DISABLED;
1353                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1354         }
1355
1356         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1357                 s->cfc = d->cfc;
1358
1359         d->priority = pn->priority;
1360
1361         d->mtu = __le16_to_cpu(pn->mtu);
1362
1363         if (cr && d->mtu > s->mtu)
1364                 d->mtu = s->mtu;
1365
1366         return 0;
1367 }
1368
1369 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1370 {
1371         struct rfcomm_pn *pn = (void *) skb->data;
1372         struct rfcomm_dlc *d;
1373         u8 dlci = pn->dlci;
1374
1375         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1376
1377         if (!dlci)
1378                 return 0;
1379
1380         d = rfcomm_dlc_get(s, dlci);
1381         if (d) {
1382                 if (cr) {
1383                         /* PN request */
1384                         rfcomm_apply_pn(d, cr, pn);
1385                         rfcomm_send_pn(s, 0, d);
1386                 } else {
1387                         /* PN response */
1388                         switch (d->state) {
1389                         case BT_CONFIG:
1390                                 rfcomm_apply_pn(d, cr, pn);
1391
1392                                 d->state = BT_CONNECT;
1393                                 rfcomm_send_sabm(s, d->dlci);
1394                                 break;
1395                         }
1396                 }
1397         } else {
1398                 u8 channel = __srv_channel(dlci);
1399
1400                 if (!cr)
1401                         return 0;
1402
1403                 /* PN request for non existing DLC.
1404                  * Assume incoming connection. */
1405                 if (rfcomm_connect_ind(s, channel, &d)) {
1406                         d->dlci = dlci;
1407                         d->addr = __addr(s->initiator, dlci);
1408                         rfcomm_dlc_link(s, d);
1409
1410                         rfcomm_apply_pn(d, cr, pn);
1411
1412                         d->state = BT_OPEN;
1413                         rfcomm_send_pn(s, 0, d);
1414                 } else {
1415                         rfcomm_send_dm(s, dlci);
1416                 }
1417         }
1418         return 0;
1419 }
1420
1421 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1422 {
1423         struct rfcomm_rpn *rpn = (void *) skb->data;
1424         u8 dlci = __get_dlci(rpn->dlci);
1425
1426         u8 bit_rate  = 0;
1427         u8 data_bits = 0;
1428         u8 stop_bits = 0;
1429         u8 parity    = 0;
1430         u8 flow_ctrl = 0;
1431         u8 xon_char  = 0;
1432         u8 xoff_char = 0;
1433         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1434
1435         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1436                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1437                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1438
1439         if (!cr)
1440                 return 0;
1441
1442         if (len == 1) {
1443                 /* This is a request, return default (according to ETSI TS 07.10) settings */
1444                 bit_rate  = RFCOMM_RPN_BR_9600;
1445                 data_bits = RFCOMM_RPN_DATA_8;
1446                 stop_bits = RFCOMM_RPN_STOP_1;
1447                 parity    = RFCOMM_RPN_PARITY_NONE;
1448                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1449                 xon_char  = RFCOMM_RPN_XON_CHAR;
1450                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1451                 goto rpn_out;
1452         }
1453
1454         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1455          * no parity, no flow control lines, normal XON/XOFF chars */
1456
1457         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1458                 bit_rate = rpn->bit_rate;
1459                 if (bit_rate > RFCOMM_RPN_BR_230400) {
1460                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1461                         bit_rate = RFCOMM_RPN_BR_9600;
1462                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1463                 }
1464         }
1465
1466         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1467                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1468                 if (data_bits != RFCOMM_RPN_DATA_8) {
1469                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1470                         data_bits = RFCOMM_RPN_DATA_8;
1471                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1472                 }
1473         }
1474
1475         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1476                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1477                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1478                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1479                         stop_bits = RFCOMM_RPN_STOP_1;
1480                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1481                 }
1482         }
1483
1484         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1485                 parity = __get_rpn_parity(rpn->line_settings);
1486                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1487                         BT_DBG("RPN parity mismatch 0x%x", parity);
1488                         parity = RFCOMM_RPN_PARITY_NONE;
1489                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1490                 }
1491         }
1492
1493         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1494                 flow_ctrl = rpn->flow_ctrl;
1495                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1496                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1497                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1498                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1499                 }
1500         }
1501
1502         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1503                 xon_char = rpn->xon_char;
1504                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1505                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1506                         xon_char = RFCOMM_RPN_XON_CHAR;
1507                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1508                 }
1509         }
1510
1511         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1512                 xoff_char = rpn->xoff_char;
1513                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1514                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1515                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1516                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1517                 }
1518         }
1519
1520 rpn_out:
1521         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1522                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1523
1524         return 0;
1525 }
1526
1527 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1528 {
1529         struct rfcomm_rls *rls = (void *) skb->data;
1530         u8 dlci = __get_dlci(rls->dlci);
1531
1532         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1533
1534         if (!cr)
1535                 return 0;
1536
1537         /* We should probably do something with this information here. But
1538          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1539          * mandatory to recognise and respond to RLS */
1540
1541         rfcomm_send_rls(s, 0, dlci, rls->status);
1542
1543         return 0;
1544 }
1545
1546 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1547 {
1548         struct rfcomm_msc *msc = (void *) skb->data;
1549         struct rfcomm_dlc *d;
1550         u8 dlci = __get_dlci(msc->dlci);
1551
1552         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1553
1554         d = rfcomm_dlc_get(s, dlci);
1555         if (!d)
1556                 return 0;
1557
1558         if (cr) {
1559                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1560                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1561                 else
1562                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1563
1564                 rfcomm_dlc_lock(d);
1565
1566                 d->remote_v24_sig = msc->v24_sig;
1567
1568                 if (d->modem_status)
1569                         d->modem_status(d, msc->v24_sig);
1570
1571                 rfcomm_dlc_unlock(d);
1572
1573                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1574
1575                 d->mscex |= RFCOMM_MSCEX_RX;
1576         } else
1577                 d->mscex |= RFCOMM_MSCEX_TX;
1578
1579         return 0;
1580 }
1581
1582 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1583 {
1584         struct rfcomm_mcc *mcc = (void *) skb->data;
1585         u8 type, cr, len;
1586
1587         cr   = __test_cr(mcc->type);
1588         type = __get_mcc_type(mcc->type);
1589         len  = __get_mcc_len(mcc->len);
1590
1591         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1592
1593         skb_pull(skb, 2);
1594
1595         switch (type) {
1596         case RFCOMM_PN:
1597                 rfcomm_recv_pn(s, cr, skb);
1598                 break;
1599
1600         case RFCOMM_RPN:
1601                 rfcomm_recv_rpn(s, cr, len, skb);
1602                 break;
1603
1604         case RFCOMM_RLS:
1605                 rfcomm_recv_rls(s, cr, skb);
1606                 break;
1607
1608         case RFCOMM_MSC:
1609                 rfcomm_recv_msc(s, cr, skb);
1610                 break;
1611
1612         case RFCOMM_FCOFF:
1613                 if (cr) {
1614                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1615                         rfcomm_send_fcoff(s, 0);
1616                 }
1617                 break;
1618
1619         case RFCOMM_FCON:
1620                 if (cr) {
1621                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1622                         rfcomm_send_fcon(s, 0);
1623                 }
1624                 break;
1625
1626         case RFCOMM_TEST:
1627                 if (cr)
1628                         rfcomm_send_test(s, 0, skb->data, skb->len);
1629                 break;
1630
1631         case RFCOMM_NSC:
1632                 break;
1633
1634         default:
1635                 BT_ERR("Unknown control type 0x%02x", type);
1636                 rfcomm_send_nsc(s, cr, type);
1637                 break;
1638         }
1639         return 0;
1640 }
1641
1642 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1643 {
1644         struct rfcomm_dlc *d;
1645
1646         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1647
1648         d = rfcomm_dlc_get(s, dlci);
1649         if (!d) {
1650                 rfcomm_send_dm(s, dlci);
1651                 goto drop;
1652         }
1653
1654         if (pf && d->cfc) {
1655                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1656
1657                 d->tx_credits += credits;
1658                 if (d->tx_credits)
1659                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1660         }
1661
1662         if (skb->len && d->state == BT_CONNECTED) {
1663                 rfcomm_dlc_lock(d);
1664                 d->rx_credits--;
1665                 d->data_ready(d, skb);
1666                 rfcomm_dlc_unlock(d);
1667                 return 0;
1668         }
1669
1670 drop:
1671         kfree_skb(skb);
1672         return 0;
1673 }
1674
1675 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1676 {
1677         struct rfcomm_hdr *hdr = (void *) skb->data;
1678         u8 type, dlci, fcs;
1679
1680         dlci = __get_dlci(hdr->addr);
1681         type = __get_type(hdr->ctrl);
1682
1683         /* Trim FCS */
1684         skb->len--; skb->tail--;
1685         fcs = *(u8 *)skb_tail_pointer(skb);
1686
1687         if (__check_fcs(skb->data, type, fcs)) {
1688                 BT_ERR("bad checksum in packet");
1689                 kfree_skb(skb);
1690                 return -EILSEQ;
1691         }
1692
1693         if (__test_ea(hdr->len))
1694                 skb_pull(skb, 3);
1695         else
1696                 skb_pull(skb, 4);
1697
1698         switch (type) {
1699         case RFCOMM_SABM:
1700                 if (__test_pf(hdr->ctrl))
1701                         rfcomm_recv_sabm(s, dlci);
1702                 break;
1703
1704         case RFCOMM_DISC:
1705                 if (__test_pf(hdr->ctrl))
1706                         rfcomm_recv_disc(s, dlci);
1707                 break;
1708
1709         case RFCOMM_UA:
1710                 if (__test_pf(hdr->ctrl))
1711                         rfcomm_recv_ua(s, dlci);
1712                 break;
1713
1714         case RFCOMM_DM:
1715                 rfcomm_recv_dm(s, dlci);
1716                 break;
1717
1718         case RFCOMM_UIH:
1719                 if (dlci)
1720                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1721
1722                 rfcomm_recv_mcc(s, skb);
1723                 break;
1724
1725         default:
1726                 BT_ERR("Unknown packet type 0x%02x", type);
1727                 break;
1728         }
1729         kfree_skb(skb);
1730         return 0;
1731 }
1732
1733 /* ---- Connection and data processing ---- */
1734
1735 static void rfcomm_process_connect(struct rfcomm_session *s)
1736 {
1737         struct rfcomm_dlc *d;
1738         struct list_head *p, *n;
1739
1740         BT_DBG("session %p state %ld", s, s->state);
1741
1742         list_for_each_safe(p, n, &s->dlcs) {
1743                 d = list_entry(p, struct rfcomm_dlc, list);
1744                 if (d->state == BT_CONFIG) {
1745                         d->mtu = s->mtu;
1746                         if (rfcomm_check_security(d)) {
1747                                 rfcomm_send_pn(s, 1, d);
1748                         } else {
1749                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1750                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1751                         }
1752                 }
1753         }
1754 }
1755
1756 /* Send data queued for the DLC.
1757  * Return number of frames left in the queue.
1758  */
1759 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1760 {
1761         struct sk_buff *skb;
1762         int err;
1763
1764         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1765                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1766
1767         /* Send pending MSC */
1768         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1769                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1770
1771         if (d->cfc) {
1772                 /* CFC enabled.
1773                  * Give them some credits */
1774                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1775                                 d->rx_credits <= (d->cfc >> 2)) {
1776                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1777                         d->rx_credits = d->cfc;
1778                 }
1779         } else {
1780                 /* CFC disabled.
1781                  * Give ourselves some credits */
1782                 d->tx_credits = 5;
1783         }
1784
1785         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1786                 return skb_queue_len(&d->tx_queue);
1787
1788         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1789                 err = rfcomm_send_frame(d->session, skb->data, skb->len,
1790                                                         skb->priority);
1791                 if (err < 0) {
1792                         skb_queue_head(&d->tx_queue, skb);
1793                         break;
1794                 }
1795                 kfree_skb(skb);
1796                 d->tx_credits--;
1797         }
1798
1799         if (d->cfc && !d->tx_credits) {
1800                 /* We're out of TX credits.
1801                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1802                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1803         }
1804
1805         return skb_queue_len(&d->tx_queue);
1806 }
1807
1808 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1809 {
1810         struct rfcomm_dlc *d;
1811         struct list_head *p, *n;
1812
1813         BT_DBG("session %p state %ld", s, s->state);
1814
1815         list_for_each_safe(p, n, &s->dlcs) {
1816                 d = list_entry(p, struct rfcomm_dlc, list);
1817
1818                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1819                         __rfcomm_dlc_close(d, ETIMEDOUT);
1820                         continue;
1821                 }
1822
1823                 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1824                         __rfcomm_dlc_close(d, ECONNREFUSED);
1825                         continue;
1826                 }
1827
1828                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1829                         rfcomm_dlc_clear_timer(d);
1830                         if (d->out) {
1831                                 rfcomm_send_pn(s, 1, d);
1832                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1833                         } else {
1834                                 if (d->defer_setup) {
1835                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1836                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1837
1838                                         rfcomm_dlc_lock(d);
1839                                         d->state = BT_CONNECT2;
1840                                         d->state_change(d, 0);
1841                                         rfcomm_dlc_unlock(d);
1842                                 } else
1843                                         rfcomm_dlc_accept(d);
1844                         }
1845                         continue;
1846                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1847                         rfcomm_dlc_clear_timer(d);
1848                         if (!d->out)
1849                                 rfcomm_send_dm(s, d->dlci);
1850                         else
1851                                 d->state = BT_CLOSED;
1852                         __rfcomm_dlc_close(d, ECONNREFUSED);
1853                         continue;
1854                 }
1855
1856                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1857                         continue;
1858
1859                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1860                         continue;
1861
1862                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1863                                                 d->mscex == RFCOMM_MSCEX_OK)
1864                         rfcomm_process_tx(d);
1865         }
1866 }
1867
1868 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1869 {
1870         struct socket *sock = s->sock;
1871         struct sock *sk = sock->sk;
1872         struct sk_buff *skb;
1873
1874         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1875
1876         /* Get data directly from socket receive queue without copying it. */
1877         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1878                 skb_orphan(skb);
1879                 if (!skb_linearize(skb))
1880                         rfcomm_recv_frame(s, skb);
1881                 else
1882                         kfree_skb(skb);
1883         }
1884
1885         if (sk->sk_state == BT_CLOSED) {
1886                 if (!s->initiator)
1887                         rfcomm_session_put(s);
1888
1889                 rfcomm_session_close(s, sk->sk_err);
1890         }
1891 }
1892
1893 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1894 {
1895         struct socket *sock = s->sock, *nsock;
1896         int err;
1897
1898         /* Fast check for a new connection.
1899          * Avoids unnesesary socket allocations. */
1900         if (list_empty(&bt_sk(sock->sk)->accept_q))
1901                 return;
1902
1903         BT_DBG("session %p", s);
1904
1905         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1906         if (err < 0)
1907                 return;
1908
1909         /* Set our callbacks */
1910         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1911         nsock->sk->sk_state_change = rfcomm_l2state_change;
1912
1913         s = rfcomm_session_add(nsock, BT_OPEN);
1914         if (s) {
1915                 rfcomm_session_hold(s);
1916
1917                 /* We should adjust MTU on incoming sessions.
1918                  * L2CAP MTU minus UIH header and FCS. */
1919                 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1920                                 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1921
1922                 rfcomm_schedule();
1923         } else
1924                 sock_release(nsock);
1925 }
1926
1927 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1928 {
1929         struct sock *sk = s->sock->sk;
1930
1931         BT_DBG("%p state %ld", s, s->state);
1932
1933         switch (sk->sk_state) {
1934         case BT_CONNECTED:
1935                 s->state = BT_CONNECT;
1936
1937                 /* We can adjust MTU on outgoing sessions.
1938                  * L2CAP MTU minus UIH header and FCS. */
1939                 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1940
1941                 rfcomm_send_sabm(s, 0);
1942                 break;
1943
1944         case BT_CLOSED:
1945                 s->state = BT_CLOSED;
1946                 rfcomm_session_close(s, sk->sk_err);
1947                 break;
1948         }
1949 }
1950
1951 static inline void rfcomm_process_sessions(void)
1952 {
1953         struct list_head *p, *n;
1954
1955         rfcomm_lock();
1956
1957         list_for_each_safe(p, n, &session_list) {
1958                 struct rfcomm_session *s;
1959                 s = list_entry(p, struct rfcomm_session, list);
1960
1961                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1962                         s->state = BT_DISCONN;
1963                         rfcomm_send_disc(s, 0);
1964                         rfcomm_session_put(s);
1965                         continue;
1966                 }
1967
1968                 if (s->state == BT_LISTEN) {
1969                         rfcomm_accept_connection(s);
1970                         continue;
1971                 }
1972
1973                 rfcomm_session_hold(s);
1974
1975                 switch (s->state) {
1976                 case BT_BOUND:
1977                         rfcomm_check_connection(s);
1978                         break;
1979
1980                 default:
1981                         rfcomm_process_rx(s);
1982                         break;
1983                 }
1984
1985                 rfcomm_process_dlcs(s);
1986
1987                 rfcomm_session_put(s);
1988         }
1989
1990         rfcomm_unlock();
1991 }
1992
1993 static int rfcomm_add_listener(bdaddr_t *ba)
1994 {
1995         struct sockaddr_l2 addr;
1996         struct socket *sock;
1997         struct sock *sk;
1998         struct rfcomm_session *s;
1999         int    err = 0;
2000
2001         /* Create socket */
2002         err = rfcomm_l2sock_create(&sock);
2003         if (err < 0) {
2004                 BT_ERR("Create socket failed %d", err);
2005                 return err;
2006         }
2007
2008         /* Bind socket */
2009         bacpy(&addr.l2_bdaddr, ba);
2010         addr.l2_family = AF_BLUETOOTH;
2011         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
2012         addr.l2_cid    = 0;
2013         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2014         if (err < 0) {
2015                 BT_ERR("Bind failed %d", err);
2016                 goto failed;
2017         }
2018
2019         /* Set L2CAP options */
2020         sk = sock->sk;
2021         lock_sock(sk);
2022         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2023         release_sock(sk);
2024
2025         /* Start listening on the socket */
2026         err = kernel_listen(sock, 10);
2027         if (err) {
2028                 BT_ERR("Listen failed %d", err);
2029                 goto failed;
2030         }
2031
2032         /* Add listening session */
2033         s = rfcomm_session_add(sock, BT_LISTEN);
2034         if (!s)
2035                 goto failed;
2036
2037         rfcomm_session_hold(s);
2038         return 0;
2039 failed:
2040         sock_release(sock);
2041         return err;
2042 }
2043
2044 static void rfcomm_kill_listener(void)
2045 {
2046         struct rfcomm_session *s;
2047         struct list_head *p, *n;
2048
2049         BT_DBG("");
2050
2051         list_for_each_safe(p, n, &session_list) {
2052                 s = list_entry(p, struct rfcomm_session, list);
2053                 rfcomm_session_del(s);
2054         }
2055 }
2056
2057 static int rfcomm_run(void *unused)
2058 {
2059         BT_DBG("");
2060
2061         set_user_nice(current, -10);
2062
2063         rfcomm_add_listener(BDADDR_ANY);
2064
2065         while (1) {
2066                 set_current_state(TASK_INTERRUPTIBLE);
2067
2068                 if (kthread_should_stop())
2069                         break;
2070
2071                 /* Process stuff */
2072                 rfcomm_process_sessions();
2073
2074                 schedule();
2075         }
2076         __set_current_state(TASK_RUNNING);
2077
2078         rfcomm_kill_listener();
2079
2080         return 0;
2081 }
2082
2083 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2084 {
2085         struct rfcomm_session *s;
2086         struct rfcomm_dlc *d;
2087         struct list_head *p, *n;
2088
2089         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2090
2091         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2092         if (!s)
2093                 return;
2094
2095         rfcomm_session_hold(s);
2096
2097         list_for_each_safe(p, n, &s->dlcs) {
2098                 d = list_entry(p, struct rfcomm_dlc, list);
2099
2100                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2101                         rfcomm_dlc_clear_timer(d);
2102                         if (status || encrypt == 0x00) {
2103                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2104                                 continue;
2105                         }
2106                 }
2107
2108                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2109                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2110                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2111                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2112                                 continue;
2113                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2114                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2115                                 continue;
2116                         }
2117                 }
2118
2119                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2120                         continue;
2121
2122                 if (!status && hci_conn_check_secure(conn, d->sec_level))
2123                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2124                 else
2125                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2126         }
2127
2128         rfcomm_session_put(s);
2129
2130         rfcomm_schedule();
2131 }
2132
2133 static struct hci_cb rfcomm_cb = {
2134         .name           = "RFCOMM",
2135         .security_cfm   = rfcomm_security_cfm
2136 };
2137
2138 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2139 {
2140         struct rfcomm_session *s;
2141
2142         rfcomm_lock();
2143
2144         list_for_each_entry(s, &session_list, list) {
2145                 struct rfcomm_dlc *d;
2146                 list_for_each_entry(d, &s->dlcs, list) {
2147                         struct sock *sk = s->sock->sk;
2148
2149                         seq_printf(f, "%s %s %ld %d %d %d %d\n",
2150                                                 batostr(&bt_sk(sk)->src),
2151                                                 batostr(&bt_sk(sk)->dst),
2152                                                 d->state, d->dlci, d->mtu,
2153                                                 d->rx_credits, d->tx_credits);
2154                 }
2155         }
2156
2157         rfcomm_unlock();
2158
2159         return 0;
2160 }
2161
2162 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2163 {
2164         return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2165 }
2166
2167 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2168         .open           = rfcomm_dlc_debugfs_open,
2169         .read           = seq_read,
2170         .llseek         = seq_lseek,
2171         .release        = single_release,
2172 };
2173
2174 static struct dentry *rfcomm_dlc_debugfs;
2175
2176 /* ---- Initialization ---- */
2177 static int __init rfcomm_init(void)
2178 {
2179         int err;
2180
2181         hci_register_cb(&rfcomm_cb);
2182
2183         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2184         if (IS_ERR(rfcomm_thread)) {
2185                 err = PTR_ERR(rfcomm_thread);
2186                 goto unregister;
2187         }
2188
2189         if (bt_debugfs) {
2190                 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2191                                 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2192                 if (!rfcomm_dlc_debugfs)
2193                         BT_ERR("Failed to create RFCOMM debug file");
2194         }
2195
2196         err = rfcomm_init_ttys();
2197         if (err < 0)
2198                 goto stop;
2199
2200         err = rfcomm_init_sockets();
2201         if (err < 0)
2202                 goto cleanup;
2203
2204         BT_INFO("RFCOMM ver %s", VERSION);
2205
2206         return 0;
2207
2208 cleanup:
2209         rfcomm_cleanup_ttys();
2210
2211 stop:
2212         kthread_stop(rfcomm_thread);
2213
2214 unregister:
2215         hci_unregister_cb(&rfcomm_cb);
2216
2217         return err;
2218 }
2219
2220 static void __exit rfcomm_exit(void)
2221 {
2222         debugfs_remove(rfcomm_dlc_debugfs);
2223
2224         hci_unregister_cb(&rfcomm_cb);
2225
2226         kthread_stop(rfcomm_thread);
2227
2228         rfcomm_cleanup_ttys();
2229
2230         rfcomm_cleanup_sockets();
2231 }
2232
2233 module_init(rfcomm_init);
2234 module_exit(rfcomm_exit);
2235
2236 module_param(disable_cfc, bool, 0644);
2237 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2238
2239 module_param(channel_mtu, int, 0644);
2240 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2241
2242 module_param(l2cap_mtu, uint, 0644);
2243 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2244
2245 module_param(l2cap_ertm, bool, 0644);
2246 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2247
2248 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2249 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2250 MODULE_VERSION(VERSION);
2251 MODULE_LICENSE("GPL");
2252 MODULE_ALIAS("bt-proto-3");