Bluetooth: Coding style cleanup from previous rfcomm_init bug fix
[pandora-kernel.git] / net / bluetooth / rfcomm / core.c
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25  * Bluetooth RFCOMM core.
26  */
27
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/kernel.h>
31 #include <linux/sched.h>
32 #include <linux/signal.h>
33 #include <linux/init.h>
34 #include <linux/wait.h>
35 #include <linux/device.h>
36 #include <linux/net.h>
37 #include <linux/mutex.h>
38 #include <linux/kthread.h>
39
40 #include <net/sock.h>
41 #include <asm/uaccess.h>
42 #include <asm/unaligned.h>
43
44 #include <net/bluetooth/bluetooth.h>
45 #include <net/bluetooth/hci_core.h>
46 #include <net/bluetooth/l2cap.h>
47 #include <net/bluetooth/rfcomm.h>
48
49 #define VERSION "1.11"
50
51 static int disable_cfc = 0;
52 static int channel_mtu = -1;
53 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
54
55 static struct task_struct *rfcomm_thread;
56
57 static DEFINE_MUTEX(rfcomm_mutex);
58 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
59 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
60
61 static unsigned long rfcomm_event;
62
63 static LIST_HEAD(session_list);
64
65 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
66 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
67 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
68 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
69 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
70 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
71 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
72 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
73 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
74 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
75
76 static void rfcomm_process_connect(struct rfcomm_session *s);
77
78 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err);
79 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
80 static void rfcomm_session_del(struct rfcomm_session *s);
81
82 /* ---- RFCOMM frame parsing macros ---- */
83 #define __get_dlci(b)     ((b & 0xfc) >> 2)
84 #define __get_channel(b)  ((b & 0xf8) >> 3)
85 #define __get_dir(b)      ((b & 0x04) >> 2)
86 #define __get_type(b)     ((b & 0xef))
87
88 #define __test_ea(b)      ((b & 0x01))
89 #define __test_cr(b)      ((b & 0x02))
90 #define __test_pf(b)      ((b & 0x10))
91
92 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
93 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
94 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
95 #define __srv_channel(dlci)    (dlci >> 1)
96 #define __dir(dlci)            (dlci & 0x01)
97
98 #define __len8(len)       (((len) << 1) | 1)
99 #define __len16(len)      ((len) << 1)
100
101 /* MCC macros */
102 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
103 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
104 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
105
106 /* RPN macros */
107 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
108 #define __get_rpn_data_bits(line) ((line) & 0x3)
109 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
110 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
111
112 static inline void rfcomm_schedule(uint event)
113 {
114         if (!rfcomm_thread)
115                 return;
116         //set_bit(event, &rfcomm_event);
117         set_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
118         wake_up_process(rfcomm_thread);
119 }
120
121 static inline void rfcomm_session_put(struct rfcomm_session *s)
122 {
123         if (atomic_dec_and_test(&s->refcnt))
124                 rfcomm_session_del(s);
125 }
126
127 /* ---- RFCOMM FCS computation ---- */
128
129 /* reversed, 8-bit, poly=0x07 */
130 static unsigned char rfcomm_crc_table[256] = {
131         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
132         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
133         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
134         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
135
136         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
137         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
138         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
139         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
140
141         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
142         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
143         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
144         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
145
146         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
147         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
148         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
149         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
150
151         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
152         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
153         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
154         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
155
156         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
157         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
158         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
159         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
160
161         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
162         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
163         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
164         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
165
166         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
167         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
168         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
169         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
170 };
171
172 /* CRC on 2 bytes */
173 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
174
175 /* FCS on 2 bytes */
176 static inline u8 __fcs(u8 *data)
177 {
178         return (0xff - __crc(data));
179 }
180
181 /* FCS on 3 bytes */
182 static inline u8 __fcs2(u8 *data)
183 {
184         return (0xff - rfcomm_crc_table[__crc(data) ^ data[2]]);
185 }
186
187 /* Check FCS */
188 static inline int __check_fcs(u8 *data, int type, u8 fcs)
189 {
190         u8 f = __crc(data);
191
192         if (type != RFCOMM_UIH)
193                 f = rfcomm_crc_table[f ^ data[2]];
194
195         return rfcomm_crc_table[f ^ fcs] != 0xcf;
196 }
197
198 /* ---- L2CAP callbacks ---- */
199 static void rfcomm_l2state_change(struct sock *sk)
200 {
201         BT_DBG("%p state %d", sk, sk->sk_state);
202         rfcomm_schedule(RFCOMM_SCHED_STATE);
203 }
204
205 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
206 {
207         BT_DBG("%p bytes %d", sk, bytes);
208         rfcomm_schedule(RFCOMM_SCHED_RX);
209 }
210
211 static int rfcomm_l2sock_create(struct socket **sock)
212 {
213         int err;
214
215         BT_DBG("");
216
217         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
218         if (!err) {
219                 struct sock *sk = (*sock)->sk;
220                 sk->sk_data_ready   = rfcomm_l2data_ready;
221                 sk->sk_state_change = rfcomm_l2state_change;
222         }
223         return err;
224 }
225
226 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
227 {
228         struct sock *sk = d->session->sock->sk;
229         __u8 auth_type;
230
231         switch (d->sec_level) {
232         case BT_SECURITY_HIGH:
233                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
234                 break;
235         case BT_SECURITY_MEDIUM:
236                 auth_type = HCI_AT_GENERAL_BONDING;
237                 break;
238         default:
239                 auth_type = HCI_AT_NO_BONDING;
240                 break;
241         }
242
243         return hci_conn_security(l2cap_pi(sk)->conn->hcon, d->sec_level,
244                                                                 auth_type);
245 }
246
247 /* ---- RFCOMM DLCs ---- */
248 static void rfcomm_dlc_timeout(unsigned long arg)
249 {
250         struct rfcomm_dlc *d = (void *) arg;
251
252         BT_DBG("dlc %p state %ld", d, d->state);
253
254         set_bit(RFCOMM_TIMED_OUT, &d->flags);
255         rfcomm_dlc_put(d);
256         rfcomm_schedule(RFCOMM_SCHED_TIMEO);
257 }
258
259 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
260 {
261         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
262
263         if (!mod_timer(&d->timer, jiffies + timeout))
264                 rfcomm_dlc_hold(d);
265 }
266
267 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
268 {
269         BT_DBG("dlc %p state %ld", d, d->state);
270
271         if (timer_pending(&d->timer) && del_timer(&d->timer))
272                 rfcomm_dlc_put(d);
273 }
274
275 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
276 {
277         BT_DBG("%p", d);
278
279         d->state      = BT_OPEN;
280         d->flags      = 0;
281         d->mscex      = 0;
282         d->mtu        = RFCOMM_DEFAULT_MTU;
283         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
284
285         d->cfc        = RFCOMM_CFC_DISABLED;
286         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
287 }
288
289 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
290 {
291         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
292
293         if (!d)
294                 return NULL;
295
296         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
297
298         skb_queue_head_init(&d->tx_queue);
299         spin_lock_init(&d->lock);
300         atomic_set(&d->refcnt, 1);
301
302         rfcomm_dlc_clear_state(d);
303
304         BT_DBG("%p", d);
305
306         return d;
307 }
308
309 void rfcomm_dlc_free(struct rfcomm_dlc *d)
310 {
311         BT_DBG("%p", d);
312
313         skb_queue_purge(&d->tx_queue);
314         kfree(d);
315 }
316
317 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
318 {
319         BT_DBG("dlc %p session %p", d, s);
320
321         rfcomm_session_hold(s);
322
323         rfcomm_dlc_hold(d);
324         list_add(&d->list, &s->dlcs);
325         d->session = s;
326 }
327
328 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
329 {
330         struct rfcomm_session *s = d->session;
331
332         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
333
334         list_del(&d->list);
335         d->session = NULL;
336         rfcomm_dlc_put(d);
337
338         rfcomm_session_put(s);
339 }
340
341 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
342 {
343         struct rfcomm_dlc *d;
344         struct list_head *p;
345
346         list_for_each(p, &s->dlcs) {
347                 d = list_entry(p, struct rfcomm_dlc, list);
348                 if (d->dlci == dlci)
349                         return d;
350         }
351         return NULL;
352 }
353
354 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
355 {
356         struct rfcomm_session *s;
357         int err = 0;
358         u8 dlci;
359
360         BT_DBG("dlc %p state %ld %s %s channel %d",
361                         d, d->state, batostr(src), batostr(dst), channel);
362
363         if (channel < 1 || channel > 30)
364                 return -EINVAL;
365
366         if (d->state != BT_OPEN && d->state != BT_CLOSED)
367                 return 0;
368
369         s = rfcomm_session_get(src, dst);
370         if (!s) {
371                 s = rfcomm_session_create(src, dst, &err);
372                 if (!s)
373                         return err;
374         }
375
376         dlci = __dlci(!s->initiator, channel);
377
378         /* Check if DLCI already exists */
379         if (rfcomm_dlc_get(s, dlci))
380                 return -EBUSY;
381
382         rfcomm_dlc_clear_state(d);
383
384         d->dlci     = dlci;
385         d->addr     = __addr(s->initiator, dlci);
386         d->priority = 7;
387
388         d->state = BT_CONFIG;
389         rfcomm_dlc_link(s, d);
390
391         d->out = 1;
392
393         d->mtu = s->mtu;
394         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
395
396         if (s->state == BT_CONNECTED) {
397                 if (rfcomm_check_security(d))
398                         rfcomm_send_pn(s, 1, d);
399                 else
400                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
401         }
402
403         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
404
405         return 0;
406 }
407
408 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
409 {
410         int r;
411
412         rfcomm_lock();
413
414         r = __rfcomm_dlc_open(d, src, dst, channel);
415
416         rfcomm_unlock();
417         return r;
418 }
419
420 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
421 {
422         struct rfcomm_session *s = d->session;
423         if (!s)
424                 return 0;
425
426         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
427                         d, d->state, d->dlci, err, s);
428
429         switch (d->state) {
430         case BT_CONNECT:
431         case BT_CONFIG:
432                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
433                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
434                         rfcomm_schedule(RFCOMM_SCHED_AUTH);
435                         break;
436                 }
437                 /* Fall through */
438
439         case BT_CONNECTED:
440                 d->state = BT_DISCONN;
441                 if (skb_queue_empty(&d->tx_queue)) {
442                         rfcomm_send_disc(s, d->dlci);
443                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
444                 } else {
445                         rfcomm_queue_disc(d);
446                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
447                 }
448                 break;
449
450         case BT_OPEN:
451         case BT_CONNECT2:
452                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
453                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
454                         rfcomm_schedule(RFCOMM_SCHED_AUTH);
455                         break;
456                 }
457                 /* Fall through */
458
459         default:
460                 rfcomm_dlc_clear_timer(d);
461
462                 rfcomm_dlc_lock(d);
463                 d->state = BT_CLOSED;
464                 d->state_change(d, err);
465                 rfcomm_dlc_unlock(d);
466
467                 skb_queue_purge(&d->tx_queue);
468                 rfcomm_dlc_unlink(d);
469         }
470
471         return 0;
472 }
473
474 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
475 {
476         int r;
477
478         rfcomm_lock();
479
480         r = __rfcomm_dlc_close(d, err);
481
482         rfcomm_unlock();
483         return r;
484 }
485
486 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
487 {
488         int len = skb->len;
489
490         if (d->state != BT_CONNECTED)
491                 return -ENOTCONN;
492
493         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
494
495         if (len > d->mtu)
496                 return -EINVAL;
497
498         rfcomm_make_uih(skb, d->addr);
499         skb_queue_tail(&d->tx_queue, skb);
500
501         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
502                 rfcomm_schedule(RFCOMM_SCHED_TX);
503         return len;
504 }
505
506 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
507 {
508         BT_DBG("dlc %p state %ld", d, d->state);
509
510         if (!d->cfc) {
511                 d->v24_sig |= RFCOMM_V24_FC;
512                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
513         }
514         rfcomm_schedule(RFCOMM_SCHED_TX);
515 }
516
517 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
518 {
519         BT_DBG("dlc %p state %ld", d, d->state);
520
521         if (!d->cfc) {
522                 d->v24_sig &= ~RFCOMM_V24_FC;
523                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
524         }
525         rfcomm_schedule(RFCOMM_SCHED_TX);
526 }
527
528 /*
529    Set/get modem status functions use _local_ status i.e. what we report
530    to the other side.
531    Remote status is provided by dlc->modem_status() callback.
532  */
533 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
534 {
535         BT_DBG("dlc %p state %ld v24_sig 0x%x",
536                         d, d->state, v24_sig);
537
538         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
539                 v24_sig |= RFCOMM_V24_FC;
540         else
541                 v24_sig &= ~RFCOMM_V24_FC;
542
543         d->v24_sig = v24_sig;
544
545         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
546                 rfcomm_schedule(RFCOMM_SCHED_TX);
547
548         return 0;
549 }
550
551 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
552 {
553         BT_DBG("dlc %p state %ld v24_sig 0x%x",
554                         d, d->state, d->v24_sig);
555
556         *v24_sig = d->v24_sig;
557         return 0;
558 }
559
560 /* ---- RFCOMM sessions ---- */
561 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
562 {
563         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
564
565         if (!s)
566                 return NULL;
567
568         BT_DBG("session %p sock %p", s, sock);
569
570         INIT_LIST_HEAD(&s->dlcs);
571         s->state = state;
572         s->sock  = sock;
573
574         s->mtu = RFCOMM_DEFAULT_MTU;
575         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
576
577         /* Do not increment module usage count for listening sessions.
578          * Otherwise we won't be able to unload the module. */
579         if (state != BT_LISTEN)
580                 if (!try_module_get(THIS_MODULE)) {
581                         kfree(s);
582                         return NULL;
583                 }
584
585         list_add(&s->list, &session_list);
586
587         return s;
588 }
589
590 static void rfcomm_session_del(struct rfcomm_session *s)
591 {
592         int state = s->state;
593
594         BT_DBG("session %p state %ld", s, s->state);
595
596         list_del(&s->list);
597
598         if (state == BT_CONNECTED)
599                 rfcomm_send_disc(s, 0);
600
601         sock_release(s->sock);
602         kfree(s);
603
604         if (state != BT_LISTEN)
605                 module_put(THIS_MODULE);
606 }
607
608 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
609 {
610         struct rfcomm_session *s;
611         struct list_head *p, *n;
612         struct bt_sock *sk;
613         list_for_each_safe(p, n, &session_list) {
614                 s = list_entry(p, struct rfcomm_session, list);
615                 sk = bt_sk(s->sock->sk);
616
617                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
618                                 !bacmp(&sk->dst, dst))
619                         return s;
620         }
621         return NULL;
622 }
623
624 static void rfcomm_session_close(struct rfcomm_session *s, int err)
625 {
626         struct rfcomm_dlc *d;
627         struct list_head *p, *n;
628
629         BT_DBG("session %p state %ld err %d", s, s->state, err);
630
631         rfcomm_session_hold(s);
632
633         s->state = BT_CLOSED;
634
635         /* Close all dlcs */
636         list_for_each_safe(p, n, &s->dlcs) {
637                 d = list_entry(p, struct rfcomm_dlc, list);
638                 d->state = BT_CLOSED;
639                 __rfcomm_dlc_close(d, err);
640         }
641
642         rfcomm_session_put(s);
643 }
644
645 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err)
646 {
647         struct rfcomm_session *s = NULL;
648         struct sockaddr_l2 addr;
649         struct socket *sock;
650         struct sock *sk;
651
652         BT_DBG("%s %s", batostr(src), batostr(dst));
653
654         *err = rfcomm_l2sock_create(&sock);
655         if (*err < 0)
656                 return NULL;
657
658         bacpy(&addr.l2_bdaddr, src);
659         addr.l2_family = AF_BLUETOOTH;
660         addr.l2_psm    = 0;
661         addr.l2_cid    = 0;
662         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
663         if (*err < 0)
664                 goto failed;
665
666         /* Set L2CAP options */
667         sk = sock->sk;
668         lock_sock(sk);
669         l2cap_pi(sk)->imtu = l2cap_mtu;
670         release_sock(sk);
671
672         s = rfcomm_session_add(sock, BT_BOUND);
673         if (!s) {
674                 *err = -ENOMEM;
675                 goto failed;
676         }
677
678         s->initiator = 1;
679
680         bacpy(&addr.l2_bdaddr, dst);
681         addr.l2_family = AF_BLUETOOTH;
682         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
683         addr.l2_cid    = 0;
684         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
685         if (*err == 0 || *err == -EINPROGRESS)
686                 return s;
687
688         rfcomm_session_del(s);
689         return NULL;
690
691 failed:
692         sock_release(sock);
693         return NULL;
694 }
695
696 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
697 {
698         struct sock *sk = s->sock->sk;
699         if (src)
700                 bacpy(src, &bt_sk(sk)->src);
701         if (dst)
702                 bacpy(dst, &bt_sk(sk)->dst);
703 }
704
705 /* ---- RFCOMM frame sending ---- */
706 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
707 {
708         struct socket *sock = s->sock;
709         struct kvec iv = { data, len };
710         struct msghdr msg;
711
712         BT_DBG("session %p len %d", s, len);
713
714         memset(&msg, 0, sizeof(msg));
715
716         return kernel_sendmsg(sock, &msg, &iv, 1, len);
717 }
718
719 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
720 {
721         struct rfcomm_cmd cmd;
722
723         BT_DBG("%p dlci %d", s, dlci);
724
725         cmd.addr = __addr(s->initiator, dlci);
726         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
727         cmd.len  = __len8(0);
728         cmd.fcs  = __fcs2((u8 *) &cmd);
729
730         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
731 }
732
733 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
734 {
735         struct rfcomm_cmd cmd;
736
737         BT_DBG("%p dlci %d", s, dlci);
738
739         cmd.addr = __addr(!s->initiator, dlci);
740         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
741         cmd.len  = __len8(0);
742         cmd.fcs  = __fcs2((u8 *) &cmd);
743
744         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
745 }
746
747 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
748 {
749         struct rfcomm_cmd cmd;
750
751         BT_DBG("%p dlci %d", s, dlci);
752
753         cmd.addr = __addr(s->initiator, dlci);
754         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
755         cmd.len  = __len8(0);
756         cmd.fcs  = __fcs2((u8 *) &cmd);
757
758         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
759 }
760
761 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
762 {
763         struct rfcomm_cmd *cmd;
764         struct sk_buff *skb;
765
766         BT_DBG("dlc %p dlci %d", d, d->dlci);
767
768         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
769         if (!skb)
770                 return -ENOMEM;
771
772         cmd = (void *) __skb_put(skb, sizeof(*cmd));
773         cmd->addr = d->addr;
774         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
775         cmd->len  = __len8(0);
776         cmd->fcs  = __fcs2((u8 *) cmd);
777
778         skb_queue_tail(&d->tx_queue, skb);
779         rfcomm_schedule(RFCOMM_SCHED_TX);
780         return 0;
781 }
782
783 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
784 {
785         struct rfcomm_cmd cmd;
786
787         BT_DBG("%p dlci %d", s, dlci);
788
789         cmd.addr = __addr(!s->initiator, dlci);
790         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
791         cmd.len  = __len8(0);
792         cmd.fcs  = __fcs2((u8 *) &cmd);
793
794         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
795 }
796
797 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
798 {
799         struct rfcomm_hdr *hdr;
800         struct rfcomm_mcc *mcc;
801         u8 buf[16], *ptr = buf;
802
803         BT_DBG("%p cr %d type %d", s, cr, type);
804
805         hdr = (void *) ptr; ptr += sizeof(*hdr);
806         hdr->addr = __addr(s->initiator, 0);
807         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
808         hdr->len  = __len8(sizeof(*mcc) + 1);
809
810         mcc = (void *) ptr; ptr += sizeof(*mcc);
811         mcc->type = __mcc_type(cr, RFCOMM_NSC);
812         mcc->len  = __len8(1);
813
814         /* Type that we didn't like */
815         *ptr = __mcc_type(cr, type); ptr++;
816
817         *ptr = __fcs(buf); ptr++;
818
819         return rfcomm_send_frame(s, buf, ptr - buf);
820 }
821
822 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
823 {
824         struct rfcomm_hdr *hdr;
825         struct rfcomm_mcc *mcc;
826         struct rfcomm_pn  *pn;
827         u8 buf[16], *ptr = buf;
828
829         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
830
831         hdr = (void *) ptr; ptr += sizeof(*hdr);
832         hdr->addr = __addr(s->initiator, 0);
833         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
834         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
835
836         mcc = (void *) ptr; ptr += sizeof(*mcc);
837         mcc->type = __mcc_type(cr, RFCOMM_PN);
838         mcc->len  = __len8(sizeof(*pn));
839
840         pn = (void *) ptr; ptr += sizeof(*pn);
841         pn->dlci        = d->dlci;
842         pn->priority    = d->priority;
843         pn->ack_timer   = 0;
844         pn->max_retrans = 0;
845
846         if (s->cfc) {
847                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
848                 pn->credits = RFCOMM_DEFAULT_CREDITS;
849         } else {
850                 pn->flow_ctrl = 0;
851                 pn->credits   = 0;
852         }
853
854         if (cr && channel_mtu >= 0)
855                 pn->mtu = cpu_to_le16(channel_mtu);
856         else
857                 pn->mtu = cpu_to_le16(d->mtu);
858
859         *ptr = __fcs(buf); ptr++;
860
861         return rfcomm_send_frame(s, buf, ptr - buf);
862 }
863
864 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
865                         u8 bit_rate, u8 data_bits, u8 stop_bits,
866                         u8 parity, u8 flow_ctrl_settings,
867                         u8 xon_char, u8 xoff_char, u16 param_mask)
868 {
869         struct rfcomm_hdr *hdr;
870         struct rfcomm_mcc *mcc;
871         struct rfcomm_rpn *rpn;
872         u8 buf[16], *ptr = buf;
873
874         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
875                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
876                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
877                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
878
879         hdr = (void *) ptr; ptr += sizeof(*hdr);
880         hdr->addr = __addr(s->initiator, 0);
881         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
882         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
883
884         mcc = (void *) ptr; ptr += sizeof(*mcc);
885         mcc->type = __mcc_type(cr, RFCOMM_RPN);
886         mcc->len  = __len8(sizeof(*rpn));
887
888         rpn = (void *) ptr; ptr += sizeof(*rpn);
889         rpn->dlci          = __addr(1, dlci);
890         rpn->bit_rate      = bit_rate;
891         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
892         rpn->flow_ctrl     = flow_ctrl_settings;
893         rpn->xon_char      = xon_char;
894         rpn->xoff_char     = xoff_char;
895         rpn->param_mask    = cpu_to_le16(param_mask);
896
897         *ptr = __fcs(buf); ptr++;
898
899         return rfcomm_send_frame(s, buf, ptr - buf);
900 }
901
902 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
903 {
904         struct rfcomm_hdr *hdr;
905         struct rfcomm_mcc *mcc;
906         struct rfcomm_rls *rls;
907         u8 buf[16], *ptr = buf;
908
909         BT_DBG("%p cr %d status 0x%x", s, cr, status);
910
911         hdr = (void *) ptr; ptr += sizeof(*hdr);
912         hdr->addr = __addr(s->initiator, 0);
913         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
914         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
915
916         mcc = (void *) ptr; ptr += sizeof(*mcc);
917         mcc->type = __mcc_type(cr, RFCOMM_RLS);
918         mcc->len  = __len8(sizeof(*rls));
919
920         rls = (void *) ptr; ptr += sizeof(*rls);
921         rls->dlci   = __addr(1, dlci);
922         rls->status = status;
923
924         *ptr = __fcs(buf); ptr++;
925
926         return rfcomm_send_frame(s, buf, ptr - buf);
927 }
928
929 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
930 {
931         struct rfcomm_hdr *hdr;
932         struct rfcomm_mcc *mcc;
933         struct rfcomm_msc *msc;
934         u8 buf[16], *ptr = buf;
935
936         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
937
938         hdr = (void *) ptr; ptr += sizeof(*hdr);
939         hdr->addr = __addr(s->initiator, 0);
940         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
941         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
942
943         mcc = (void *) ptr; ptr += sizeof(*mcc);
944         mcc->type = __mcc_type(cr, RFCOMM_MSC);
945         mcc->len  = __len8(sizeof(*msc));
946
947         msc = (void *) ptr; ptr += sizeof(*msc);
948         msc->dlci    = __addr(1, dlci);
949         msc->v24_sig = v24_sig | 0x01;
950
951         *ptr = __fcs(buf); ptr++;
952
953         return rfcomm_send_frame(s, buf, ptr - buf);
954 }
955
956 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
957 {
958         struct rfcomm_hdr *hdr;
959         struct rfcomm_mcc *mcc;
960         u8 buf[16], *ptr = buf;
961
962         BT_DBG("%p cr %d", s, cr);
963
964         hdr = (void *) ptr; ptr += sizeof(*hdr);
965         hdr->addr = __addr(s->initiator, 0);
966         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
967         hdr->len  = __len8(sizeof(*mcc));
968
969         mcc = (void *) ptr; ptr += sizeof(*mcc);
970         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
971         mcc->len  = __len8(0);
972
973         *ptr = __fcs(buf); ptr++;
974
975         return rfcomm_send_frame(s, buf, ptr - buf);
976 }
977
978 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
979 {
980         struct rfcomm_hdr *hdr;
981         struct rfcomm_mcc *mcc;
982         u8 buf[16], *ptr = buf;
983
984         BT_DBG("%p cr %d", s, cr);
985
986         hdr = (void *) ptr; ptr += sizeof(*hdr);
987         hdr->addr = __addr(s->initiator, 0);
988         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
989         hdr->len  = __len8(sizeof(*mcc));
990
991         mcc = (void *) ptr; ptr += sizeof(*mcc);
992         mcc->type = __mcc_type(cr, RFCOMM_FCON);
993         mcc->len  = __len8(0);
994
995         *ptr = __fcs(buf); ptr++;
996
997         return rfcomm_send_frame(s, buf, ptr - buf);
998 }
999
1000 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1001 {
1002         struct socket *sock = s->sock;
1003         struct kvec iv[3];
1004         struct msghdr msg;
1005         unsigned char hdr[5], crc[1];
1006
1007         if (len > 125)
1008                 return -EINVAL;
1009
1010         BT_DBG("%p cr %d", s, cr);
1011
1012         hdr[0] = __addr(s->initiator, 0);
1013         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1014         hdr[2] = 0x01 | ((len + 2) << 1);
1015         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1016         hdr[4] = 0x01 | (len << 1);
1017
1018         crc[0] = __fcs(hdr);
1019
1020         iv[0].iov_base = hdr;
1021         iv[0].iov_len  = 5;
1022         iv[1].iov_base = pattern;
1023         iv[1].iov_len  = len;
1024         iv[2].iov_base = crc;
1025         iv[2].iov_len  = 1;
1026
1027         memset(&msg, 0, sizeof(msg));
1028
1029         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1030 }
1031
1032 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1033 {
1034         struct rfcomm_hdr *hdr;
1035         u8 buf[16], *ptr = buf;
1036
1037         BT_DBG("%p addr %d credits %d", s, addr, credits);
1038
1039         hdr = (void *) ptr; ptr += sizeof(*hdr);
1040         hdr->addr = addr;
1041         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1042         hdr->len  = __len8(0);
1043
1044         *ptr = credits; ptr++;
1045
1046         *ptr = __fcs(buf); ptr++;
1047
1048         return rfcomm_send_frame(s, buf, ptr - buf);
1049 }
1050
1051 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1052 {
1053         struct rfcomm_hdr *hdr;
1054         int len = skb->len;
1055         u8 *crc;
1056
1057         if (len > 127) {
1058                 hdr = (void *) skb_push(skb, 4);
1059                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1060         } else {
1061                 hdr = (void *) skb_push(skb, 3);
1062                 hdr->len = __len8(len);
1063         }
1064         hdr->addr = addr;
1065         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1066
1067         crc = skb_put(skb, 1);
1068         *crc = __fcs((void *) hdr);
1069 }
1070
1071 /* ---- RFCOMM frame reception ---- */
1072 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1073 {
1074         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1075
1076         if (dlci) {
1077                 /* Data channel */
1078                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1079                 if (!d) {
1080                         rfcomm_send_dm(s, dlci);
1081                         return 0;
1082                 }
1083
1084                 switch (d->state) {
1085                 case BT_CONNECT:
1086                         rfcomm_dlc_clear_timer(d);
1087
1088                         rfcomm_dlc_lock(d);
1089                         d->state = BT_CONNECTED;
1090                         d->state_change(d, 0);
1091                         rfcomm_dlc_unlock(d);
1092
1093                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1094                         break;
1095
1096                 case BT_DISCONN:
1097                         d->state = BT_CLOSED;
1098                         __rfcomm_dlc_close(d, 0);
1099
1100                         if (list_empty(&s->dlcs)) {
1101                                 s->state = BT_DISCONN;
1102                                 rfcomm_send_disc(s, 0);
1103                         }
1104
1105                         break;
1106                 }
1107         } else {
1108                 /* Control channel */
1109                 switch (s->state) {
1110                 case BT_CONNECT:
1111                         s->state = BT_CONNECTED;
1112                         rfcomm_process_connect(s);
1113                         break;
1114
1115                 case BT_DISCONN:
1116                         rfcomm_session_put(s);
1117                         break;
1118                 }
1119         }
1120         return 0;
1121 }
1122
1123 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1124 {
1125         int err = 0;
1126
1127         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1128
1129         if (dlci) {
1130                 /* Data DLC */
1131                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1132                 if (d) {
1133                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1134                                 err = ECONNREFUSED;
1135                         else
1136                                 err = ECONNRESET;
1137
1138                         d->state = BT_CLOSED;
1139                         __rfcomm_dlc_close(d, err);
1140                 }
1141         } else {
1142                 if (s->state == BT_CONNECT)
1143                         err = ECONNREFUSED;
1144                 else
1145                         err = ECONNRESET;
1146
1147                 s->state = BT_CLOSED;
1148                 rfcomm_session_close(s, err);
1149         }
1150         return 0;
1151 }
1152
1153 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1154 {
1155         int err = 0;
1156
1157         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1158
1159         if (dlci) {
1160                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1161                 if (d) {
1162                         rfcomm_send_ua(s, dlci);
1163
1164                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1165                                 err = ECONNREFUSED;
1166                         else
1167                                 err = ECONNRESET;
1168
1169                         d->state = BT_CLOSED;
1170                         __rfcomm_dlc_close(d, err);
1171                 } else
1172                         rfcomm_send_dm(s, dlci);
1173
1174         } else {
1175                 rfcomm_send_ua(s, 0);
1176
1177                 if (s->state == BT_CONNECT)
1178                         err = ECONNREFUSED;
1179                 else
1180                         err = ECONNRESET;
1181
1182                 s->state = BT_CLOSED;
1183                 rfcomm_session_close(s, err);
1184         }
1185
1186         return 0;
1187 }
1188
1189 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1190 {
1191         struct sock *sk = d->session->sock->sk;
1192
1193         BT_DBG("dlc %p", d);
1194
1195         rfcomm_send_ua(d->session, d->dlci);
1196
1197         rfcomm_dlc_clear_timer(d);
1198
1199         rfcomm_dlc_lock(d);
1200         d->state = BT_CONNECTED;
1201         d->state_change(d, 0);
1202         rfcomm_dlc_unlock(d);
1203
1204         if (d->role_switch)
1205                 hci_conn_switch_role(l2cap_pi(sk)->conn->hcon, 0x00);
1206
1207         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1208 }
1209
1210 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1211 {
1212         if (rfcomm_check_security(d)) {
1213                 if (d->defer_setup) {
1214                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1215                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1216
1217                         rfcomm_dlc_lock(d);
1218                         d->state = BT_CONNECT2;
1219                         d->state_change(d, 0);
1220                         rfcomm_dlc_unlock(d);
1221                 } else
1222                         rfcomm_dlc_accept(d);
1223         } else {
1224                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1225                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1226         }
1227 }
1228
1229 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1230 {
1231         struct rfcomm_dlc *d;
1232         u8 channel;
1233
1234         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1235
1236         if (!dlci) {
1237                 rfcomm_send_ua(s, 0);
1238
1239                 if (s->state == BT_OPEN) {
1240                         s->state = BT_CONNECTED;
1241                         rfcomm_process_connect(s);
1242                 }
1243                 return 0;
1244         }
1245
1246         /* Check if DLC exists */
1247         d = rfcomm_dlc_get(s, dlci);
1248         if (d) {
1249                 if (d->state == BT_OPEN) {
1250                         /* DLC was previously opened by PN request */
1251                         rfcomm_check_accept(d);
1252                 }
1253                 return 0;
1254         }
1255
1256         /* Notify socket layer about incoming connection */
1257         channel = __srv_channel(dlci);
1258         if (rfcomm_connect_ind(s, channel, &d)) {
1259                 d->dlci = dlci;
1260                 d->addr = __addr(s->initiator, dlci);
1261                 rfcomm_dlc_link(s, d);
1262
1263                 rfcomm_check_accept(d);
1264         } else {
1265                 rfcomm_send_dm(s, dlci);
1266         }
1267
1268         return 0;
1269 }
1270
1271 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1272 {
1273         struct rfcomm_session *s = d->session;
1274
1275         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1276                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1277
1278         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1279                                                 pn->flow_ctrl == 0xe0) {
1280                 d->cfc = RFCOMM_CFC_ENABLED;
1281                 d->tx_credits = pn->credits;
1282         } else {
1283                 d->cfc = RFCOMM_CFC_DISABLED;
1284                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1285         }
1286
1287         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1288                 s->cfc = d->cfc;
1289
1290         d->priority = pn->priority;
1291
1292         d->mtu = __le16_to_cpu(pn->mtu);
1293
1294         if (cr && d->mtu > s->mtu)
1295                 d->mtu = s->mtu;
1296
1297         return 0;
1298 }
1299
1300 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1301 {
1302         struct rfcomm_pn *pn = (void *) skb->data;
1303         struct rfcomm_dlc *d;
1304         u8 dlci = pn->dlci;
1305
1306         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1307
1308         if (!dlci)
1309                 return 0;
1310
1311         d = rfcomm_dlc_get(s, dlci);
1312         if (d) {
1313                 if (cr) {
1314                         /* PN request */
1315                         rfcomm_apply_pn(d, cr, pn);
1316                         rfcomm_send_pn(s, 0, d);
1317                 } else {
1318                         /* PN response */
1319                         switch (d->state) {
1320                         case BT_CONFIG:
1321                                 rfcomm_apply_pn(d, cr, pn);
1322
1323                                 d->state = BT_CONNECT;
1324                                 rfcomm_send_sabm(s, d->dlci);
1325                                 break;
1326                         }
1327                 }
1328         } else {
1329                 u8 channel = __srv_channel(dlci);
1330
1331                 if (!cr)
1332                         return 0;
1333
1334                 /* PN request for non existing DLC.
1335                  * Assume incoming connection. */
1336                 if (rfcomm_connect_ind(s, channel, &d)) {
1337                         d->dlci = dlci;
1338                         d->addr = __addr(s->initiator, dlci);
1339                         rfcomm_dlc_link(s, d);
1340
1341                         rfcomm_apply_pn(d, cr, pn);
1342
1343                         d->state = BT_OPEN;
1344                         rfcomm_send_pn(s, 0, d);
1345                 } else {
1346                         rfcomm_send_dm(s, dlci);
1347                 }
1348         }
1349         return 0;
1350 }
1351
1352 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1353 {
1354         struct rfcomm_rpn *rpn = (void *) skb->data;
1355         u8 dlci = __get_dlci(rpn->dlci);
1356
1357         u8 bit_rate  = 0;
1358         u8 data_bits = 0;
1359         u8 stop_bits = 0;
1360         u8 parity    = 0;
1361         u8 flow_ctrl = 0;
1362         u8 xon_char  = 0;
1363         u8 xoff_char = 0;
1364         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1365
1366         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1367                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1368                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1369
1370         if (!cr)
1371                 return 0;
1372
1373         if (len == 1) {
1374                 /* This is a request, return default settings */
1375                 bit_rate  = RFCOMM_RPN_BR_115200;
1376                 data_bits = RFCOMM_RPN_DATA_8;
1377                 stop_bits = RFCOMM_RPN_STOP_1;
1378                 parity    = RFCOMM_RPN_PARITY_NONE;
1379                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1380                 xon_char  = RFCOMM_RPN_XON_CHAR;
1381                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1382                 goto rpn_out;
1383         }
1384
1385         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1386          * no parity, no flow control lines, normal XON/XOFF chars */
1387
1388         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1389                 bit_rate = rpn->bit_rate;
1390                 if (bit_rate != RFCOMM_RPN_BR_115200) {
1391                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1392                         bit_rate = RFCOMM_RPN_BR_115200;
1393                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1394                 }
1395         }
1396
1397         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1398                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1399                 if (data_bits != RFCOMM_RPN_DATA_8) {
1400                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1401                         data_bits = RFCOMM_RPN_DATA_8;
1402                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1403                 }
1404         }
1405
1406         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1407                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1408                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1409                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1410                         stop_bits = RFCOMM_RPN_STOP_1;
1411                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1412                 }
1413         }
1414
1415         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1416                 parity = __get_rpn_parity(rpn->line_settings);
1417                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1418                         BT_DBG("RPN parity mismatch 0x%x", parity);
1419                         parity = RFCOMM_RPN_PARITY_NONE;
1420                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1421                 }
1422         }
1423
1424         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1425                 flow_ctrl = rpn->flow_ctrl;
1426                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1427                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1428                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1429                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1430                 }
1431         }
1432
1433         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1434                 xon_char = rpn->xon_char;
1435                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1436                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1437                         xon_char = RFCOMM_RPN_XON_CHAR;
1438                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1439                 }
1440         }
1441
1442         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1443                 xoff_char = rpn->xoff_char;
1444                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1445                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1446                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1447                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1448                 }
1449         }
1450
1451 rpn_out:
1452         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1453                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1454
1455         return 0;
1456 }
1457
1458 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1459 {
1460         struct rfcomm_rls *rls = (void *) skb->data;
1461         u8 dlci = __get_dlci(rls->dlci);
1462
1463         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1464
1465         if (!cr)
1466                 return 0;
1467
1468         /* We should probably do something with this information here. But
1469          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1470          * mandatory to recognise and respond to RLS */
1471
1472         rfcomm_send_rls(s, 0, dlci, rls->status);
1473
1474         return 0;
1475 }
1476
1477 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1478 {
1479         struct rfcomm_msc *msc = (void *) skb->data;
1480         struct rfcomm_dlc *d;
1481         u8 dlci = __get_dlci(msc->dlci);
1482
1483         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1484
1485         d = rfcomm_dlc_get(s, dlci);
1486         if (!d)
1487                 return 0;
1488
1489         if (cr) {
1490                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1491                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1492                 else
1493                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1494
1495                 rfcomm_dlc_lock(d);
1496
1497                 d->remote_v24_sig = msc->v24_sig;
1498
1499                 if (d->modem_status)
1500                         d->modem_status(d, msc->v24_sig);
1501
1502                 rfcomm_dlc_unlock(d);
1503
1504                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1505
1506                 d->mscex |= RFCOMM_MSCEX_RX;
1507         } else
1508                 d->mscex |= RFCOMM_MSCEX_TX;
1509
1510         return 0;
1511 }
1512
1513 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1514 {
1515         struct rfcomm_mcc *mcc = (void *) skb->data;
1516         u8 type, cr, len;
1517
1518         cr   = __test_cr(mcc->type);
1519         type = __get_mcc_type(mcc->type);
1520         len  = __get_mcc_len(mcc->len);
1521
1522         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1523
1524         skb_pull(skb, 2);
1525
1526         switch (type) {
1527         case RFCOMM_PN:
1528                 rfcomm_recv_pn(s, cr, skb);
1529                 break;
1530
1531         case RFCOMM_RPN:
1532                 rfcomm_recv_rpn(s, cr, len, skb);
1533                 break;
1534
1535         case RFCOMM_RLS:
1536                 rfcomm_recv_rls(s, cr, skb);
1537                 break;
1538
1539         case RFCOMM_MSC:
1540                 rfcomm_recv_msc(s, cr, skb);
1541                 break;
1542
1543         case RFCOMM_FCOFF:
1544                 if (cr) {
1545                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1546                         rfcomm_send_fcoff(s, 0);
1547                 }
1548                 break;
1549
1550         case RFCOMM_FCON:
1551                 if (cr) {
1552                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1553                         rfcomm_send_fcon(s, 0);
1554                 }
1555                 break;
1556
1557         case RFCOMM_TEST:
1558                 if (cr)
1559                         rfcomm_send_test(s, 0, skb->data, skb->len);
1560                 break;
1561
1562         case RFCOMM_NSC:
1563                 break;
1564
1565         default:
1566                 BT_ERR("Unknown control type 0x%02x", type);
1567                 rfcomm_send_nsc(s, cr, type);
1568                 break;
1569         }
1570         return 0;
1571 }
1572
1573 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1574 {
1575         struct rfcomm_dlc *d;
1576
1577         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1578
1579         d = rfcomm_dlc_get(s, dlci);
1580         if (!d) {
1581                 rfcomm_send_dm(s, dlci);
1582                 goto drop;
1583         }
1584
1585         if (pf && d->cfc) {
1586                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1587
1588                 d->tx_credits += credits;
1589                 if (d->tx_credits)
1590                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1591         }
1592
1593         if (skb->len && d->state == BT_CONNECTED) {
1594                 rfcomm_dlc_lock(d);
1595                 d->rx_credits--;
1596                 d->data_ready(d, skb);
1597                 rfcomm_dlc_unlock(d);
1598                 return 0;
1599         }
1600
1601 drop:
1602         kfree_skb(skb);
1603         return 0;
1604 }
1605
1606 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1607 {
1608         struct rfcomm_hdr *hdr = (void *) skb->data;
1609         u8 type, dlci, fcs;
1610
1611         dlci = __get_dlci(hdr->addr);
1612         type = __get_type(hdr->ctrl);
1613
1614         /* Trim FCS */
1615         skb->len--; skb->tail--;
1616         fcs = *(u8 *)skb_tail_pointer(skb);
1617
1618         if (__check_fcs(skb->data, type, fcs)) {
1619                 BT_ERR("bad checksum in packet");
1620                 kfree_skb(skb);
1621                 return -EILSEQ;
1622         }
1623
1624         if (__test_ea(hdr->len))
1625                 skb_pull(skb, 3);
1626         else
1627                 skb_pull(skb, 4);
1628
1629         switch (type) {
1630         case RFCOMM_SABM:
1631                 if (__test_pf(hdr->ctrl))
1632                         rfcomm_recv_sabm(s, dlci);
1633                 break;
1634
1635         case RFCOMM_DISC:
1636                 if (__test_pf(hdr->ctrl))
1637                         rfcomm_recv_disc(s, dlci);
1638                 break;
1639
1640         case RFCOMM_UA:
1641                 if (__test_pf(hdr->ctrl))
1642                         rfcomm_recv_ua(s, dlci);
1643                 break;
1644
1645         case RFCOMM_DM:
1646                 rfcomm_recv_dm(s, dlci);
1647                 break;
1648
1649         case RFCOMM_UIH:
1650                 if (dlci)
1651                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1652
1653                 rfcomm_recv_mcc(s, skb);
1654                 break;
1655
1656         default:
1657                 BT_ERR("Unknown packet type 0x%02x\n", type);
1658                 break;
1659         }
1660         kfree_skb(skb);
1661         return 0;
1662 }
1663
1664 /* ---- Connection and data processing ---- */
1665
1666 static void rfcomm_process_connect(struct rfcomm_session *s)
1667 {
1668         struct rfcomm_dlc *d;
1669         struct list_head *p, *n;
1670
1671         BT_DBG("session %p state %ld", s, s->state);
1672
1673         list_for_each_safe(p, n, &s->dlcs) {
1674                 d = list_entry(p, struct rfcomm_dlc, list);
1675                 if (d->state == BT_CONFIG) {
1676                         d->mtu = s->mtu;
1677                         if (rfcomm_check_security(d)) {
1678                                 rfcomm_send_pn(s, 1, d);
1679                         } else {
1680                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1681                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1682                         }
1683                 }
1684         }
1685 }
1686
1687 /* Send data queued for the DLC.
1688  * Return number of frames left in the queue.
1689  */
1690 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1691 {
1692         struct sk_buff *skb;
1693         int err;
1694
1695         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1696                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1697
1698         /* Send pending MSC */
1699         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1700                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1701
1702         if (d->cfc) {
1703                 /* CFC enabled.
1704                  * Give them some credits */
1705                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1706                                 d->rx_credits <= (d->cfc >> 2)) {
1707                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1708                         d->rx_credits = d->cfc;
1709                 }
1710         } else {
1711                 /* CFC disabled.
1712                  * Give ourselves some credits */
1713                 d->tx_credits = 5;
1714         }
1715
1716         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1717                 return skb_queue_len(&d->tx_queue);
1718
1719         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1720                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1721                 if (err < 0) {
1722                         skb_queue_head(&d->tx_queue, skb);
1723                         break;
1724                 }
1725                 kfree_skb(skb);
1726                 d->tx_credits--;
1727         }
1728
1729         if (d->cfc && !d->tx_credits) {
1730                 /* We're out of TX credits.
1731                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1732                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1733         }
1734
1735         return skb_queue_len(&d->tx_queue);
1736 }
1737
1738 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1739 {
1740         struct rfcomm_dlc *d;
1741         struct list_head *p, *n;
1742
1743         BT_DBG("session %p state %ld", s, s->state);
1744
1745         list_for_each_safe(p, n, &s->dlcs) {
1746                 d = list_entry(p, struct rfcomm_dlc, list);
1747
1748                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1749                         __rfcomm_dlc_close(d, ETIMEDOUT);
1750                         continue;
1751                 }
1752
1753                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1754                         rfcomm_dlc_clear_timer(d);
1755                         if (d->out) {
1756                                 rfcomm_send_pn(s, 1, d);
1757                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1758                         } else {
1759                                 if (d->defer_setup) {
1760                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1761                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1762
1763                                         rfcomm_dlc_lock(d);
1764                                         d->state = BT_CONNECT2;
1765                                         d->state_change(d, 0);
1766                                         rfcomm_dlc_unlock(d);
1767                                 } else
1768                                         rfcomm_dlc_accept(d);
1769                         }
1770                         continue;
1771                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1772                         rfcomm_dlc_clear_timer(d);
1773                         if (!d->out)
1774                                 rfcomm_send_dm(s, d->dlci);
1775                         else
1776                                 d->state = BT_CLOSED;
1777                         __rfcomm_dlc_close(d, ECONNREFUSED);
1778                         continue;
1779                 }
1780
1781                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1782                         continue;
1783
1784                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1785                         continue;
1786
1787                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1788                                                 d->mscex == RFCOMM_MSCEX_OK)
1789                         rfcomm_process_tx(d);
1790         }
1791 }
1792
1793 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1794 {
1795         struct socket *sock = s->sock;
1796         struct sock *sk = sock->sk;
1797         struct sk_buff *skb;
1798
1799         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1800
1801         /* Get data directly from socket receive queue without copying it. */
1802         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1803                 skb_orphan(skb);
1804                 rfcomm_recv_frame(s, skb);
1805         }
1806
1807         if (sk->sk_state == BT_CLOSED) {
1808                 if (!s->initiator)
1809                         rfcomm_session_put(s);
1810
1811                 rfcomm_session_close(s, sk->sk_err);
1812         }
1813 }
1814
1815 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1816 {
1817         struct socket *sock = s->sock, *nsock;
1818         int err;
1819
1820         /* Fast check for a new connection.
1821          * Avoids unnesesary socket allocations. */
1822         if (list_empty(&bt_sk(sock->sk)->accept_q))
1823                 return;
1824
1825         BT_DBG("session %p", s);
1826
1827         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1828         if (err < 0)
1829                 return;
1830
1831         /* Set our callbacks */
1832         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1833         nsock->sk->sk_state_change = rfcomm_l2state_change;
1834
1835         s = rfcomm_session_add(nsock, BT_OPEN);
1836         if (s) {
1837                 rfcomm_session_hold(s);
1838
1839                 /* We should adjust MTU on incoming sessions.
1840                  * L2CAP MTU minus UIH header and FCS. */
1841                 s->mtu = min(l2cap_pi(nsock->sk)->omtu, l2cap_pi(nsock->sk)->imtu) - 5;
1842
1843                 rfcomm_schedule(RFCOMM_SCHED_RX);
1844         } else
1845                 sock_release(nsock);
1846 }
1847
1848 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1849 {
1850         struct sock *sk = s->sock->sk;
1851
1852         BT_DBG("%p state %ld", s, s->state);
1853
1854         switch(sk->sk_state) {
1855         case BT_CONNECTED:
1856                 s->state = BT_CONNECT;
1857
1858                 /* We can adjust MTU on outgoing sessions.
1859                  * L2CAP MTU minus UIH header and FCS. */
1860                 s->mtu = min(l2cap_pi(sk)->omtu, l2cap_pi(sk)->imtu) - 5;
1861
1862                 rfcomm_send_sabm(s, 0);
1863                 break;
1864
1865         case BT_CLOSED:
1866                 s->state = BT_CLOSED;
1867                 rfcomm_session_close(s, sk->sk_err);
1868                 break;
1869         }
1870 }
1871
1872 static inline void rfcomm_process_sessions(void)
1873 {
1874         struct list_head *p, *n;
1875
1876         rfcomm_lock();
1877
1878         list_for_each_safe(p, n, &session_list) {
1879                 struct rfcomm_session *s;
1880                 s = list_entry(p, struct rfcomm_session, list);
1881
1882                 if (s->state == BT_LISTEN) {
1883                         rfcomm_accept_connection(s);
1884                         continue;
1885                 }
1886
1887                 rfcomm_session_hold(s);
1888
1889                 switch (s->state) {
1890                 case BT_BOUND:
1891                         rfcomm_check_connection(s);
1892                         break;
1893
1894                 default:
1895                         rfcomm_process_rx(s);
1896                         break;
1897                 }
1898
1899                 rfcomm_process_dlcs(s);
1900
1901                 rfcomm_session_put(s);
1902         }
1903
1904         rfcomm_unlock();
1905 }
1906
1907 static int rfcomm_add_listener(bdaddr_t *ba)
1908 {
1909         struct sockaddr_l2 addr;
1910         struct socket *sock;
1911         struct sock *sk;
1912         struct rfcomm_session *s;
1913         int    err = 0;
1914
1915         /* Create socket */
1916         err = rfcomm_l2sock_create(&sock);
1917         if (err < 0) {
1918                 BT_ERR("Create socket failed %d", err);
1919                 return err;
1920         }
1921
1922         /* Bind socket */
1923         bacpy(&addr.l2_bdaddr, ba);
1924         addr.l2_family = AF_BLUETOOTH;
1925         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
1926         addr.l2_cid    = 0;
1927         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1928         if (err < 0) {
1929                 BT_ERR("Bind failed %d", err);
1930                 goto failed;
1931         }
1932
1933         /* Set L2CAP options */
1934         sk = sock->sk;
1935         lock_sock(sk);
1936         l2cap_pi(sk)->imtu = l2cap_mtu;
1937         release_sock(sk);
1938
1939         /* Start listening on the socket */
1940         err = kernel_listen(sock, 10);
1941         if (err) {
1942                 BT_ERR("Listen failed %d", err);
1943                 goto failed;
1944         }
1945
1946         /* Add listening session */
1947         s = rfcomm_session_add(sock, BT_LISTEN);
1948         if (!s)
1949                 goto failed;
1950
1951         rfcomm_session_hold(s);
1952         return 0;
1953 failed:
1954         sock_release(sock);
1955         return err;
1956 }
1957
1958 static void rfcomm_kill_listener(void)
1959 {
1960         struct rfcomm_session *s;
1961         struct list_head *p, *n;
1962
1963         BT_DBG("");
1964
1965         list_for_each_safe(p, n, &session_list) {
1966                 s = list_entry(p, struct rfcomm_session, list);
1967                 rfcomm_session_del(s);
1968         }
1969 }
1970
1971 static int rfcomm_run(void *unused)
1972 {
1973         BT_DBG("");
1974
1975         set_user_nice(current, -10);
1976
1977         rfcomm_add_listener(BDADDR_ANY);
1978
1979         while (!kthread_should_stop()) {
1980                 set_current_state(TASK_INTERRUPTIBLE);
1981                 if (!test_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event)) {
1982                         /* No pending events. Let's sleep.
1983                          * Incoming connections and data will wake us up. */
1984                         schedule();
1985                 }
1986                 set_current_state(TASK_RUNNING);
1987
1988                 /* Process stuff */
1989                 clear_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
1990                 rfcomm_process_sessions();
1991         }
1992
1993         rfcomm_kill_listener();
1994
1995         return 0;
1996 }
1997
1998 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
1999 {
2000         struct rfcomm_session *s;
2001         struct rfcomm_dlc *d;
2002         struct list_head *p, *n;
2003
2004         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2005
2006         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2007         if (!s)
2008                 return;
2009
2010         rfcomm_session_hold(s);
2011
2012         list_for_each_safe(p, n, &s->dlcs) {
2013                 d = list_entry(p, struct rfcomm_dlc, list);
2014
2015                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2016                         rfcomm_dlc_clear_timer(d);
2017                         if (status || encrypt == 0x00) {
2018                                 __rfcomm_dlc_close(d, ECONNREFUSED);
2019                                 continue;
2020                         }
2021                 }
2022
2023                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2024                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2025                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2026                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2027                                 continue;
2028                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2029                                 __rfcomm_dlc_close(d, ECONNREFUSED);
2030                                 continue;
2031                         }
2032                 }
2033
2034                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2035                         continue;
2036
2037                 if (!status)
2038                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2039                 else
2040                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2041         }
2042
2043         rfcomm_session_put(s);
2044
2045         rfcomm_schedule(RFCOMM_SCHED_AUTH);
2046 }
2047
2048 static struct hci_cb rfcomm_cb = {
2049         .name           = "RFCOMM",
2050         .security_cfm   = rfcomm_security_cfm
2051 };
2052
2053 static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
2054 {
2055         struct rfcomm_session *s;
2056         struct list_head *pp, *p;
2057         char *str = buf;
2058
2059         rfcomm_lock();
2060
2061         list_for_each(p, &session_list) {
2062                 s = list_entry(p, struct rfcomm_session, list);
2063                 list_for_each(pp, &s->dlcs) {
2064                         struct sock *sk = s->sock->sk;
2065                         struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
2066
2067                         str += sprintf(str, "%s %s %ld %d %d %d %d\n",
2068                                         batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
2069                                         d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits);
2070                 }
2071         }
2072
2073         rfcomm_unlock();
2074
2075         return (str - buf);
2076 }
2077
2078 static CLASS_ATTR(rfcomm_dlc, S_IRUGO, rfcomm_dlc_sysfs_show, NULL);
2079
2080 /* ---- Initialization ---- */
2081 static int __init rfcomm_init(void)
2082 {
2083         int err;
2084
2085         l2cap_load();
2086
2087         hci_register_cb(&rfcomm_cb);
2088
2089         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2090         if (IS_ERR(rfcomm_thread)) {
2091                 err = PTR_ERR(rfcomm_thread);
2092                 goto unregister;
2093         }
2094
2095         if (class_create_file(bt_class, &class_attr_rfcomm_dlc) < 0)
2096                 BT_ERR("Failed to create RFCOMM info file");
2097
2098         err = rfcomm_init_ttys();
2099         if (err < 0)
2100                 goto stop;
2101
2102         err = rfcomm_init_sockets();
2103         if (err < 0)
2104                 goto cleanup;
2105
2106         BT_INFO("RFCOMM ver %s", VERSION);
2107
2108         return 0;
2109
2110 cleanup:
2111         rfcomm_cleanup_ttys();
2112
2113 stop:
2114         kthread_stop(rfcomm_thread);
2115
2116 unregister:
2117         hci_unregister_cb(&rfcomm_cb);
2118
2119         return err;
2120 }
2121
2122 static void __exit rfcomm_exit(void)
2123 {
2124         class_remove_file(bt_class, &class_attr_rfcomm_dlc);
2125
2126         hci_unregister_cb(&rfcomm_cb);
2127
2128         kthread_stop(rfcomm_thread);
2129
2130         rfcomm_cleanup_ttys();
2131
2132         rfcomm_cleanup_sockets();
2133 }
2134
2135 module_init(rfcomm_init);
2136 module_exit(rfcomm_exit);
2137
2138 module_param(disable_cfc, bool, 0644);
2139 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2140
2141 module_param(channel_mtu, int, 0644);
2142 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2143
2144 module_param(l2cap_mtu, uint, 0644);
2145 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2146
2147 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2148 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2149 MODULE_VERSION(VERSION);
2150 MODULE_LICENSE("GPL");
2151 MODULE_ALIAS("bt-proto-3");