net/bluetooth/rfcomm/core.c

   1 /*
   2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
   4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License version 2 as
   8    published by the Free Software Foundation;
   9
  10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  18
  19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  21    SOFTWARE IS DISCLAIMED.
  22 */
  23
  24 /*
  25  * Bluetooth RFCOMM core.
  26  */
  27
  28 #include <linux/module.h>
  29 #include <linux/errno.h>
  30 #include <linux/kernel.h>
  31 #include <linux/sched.h>
  32 #include <linux/signal.h>
  33 #include <linux/init.h>
  34 #include <linux/wait.h>
  35 #include <linux/device.h>
  36 #include <linux/debugfs.h>
  37 #include <linux/seq_file.h>
  38 #include <linux/net.h>
  39 #include <linux/mutex.h>
  40 #include <linux/kthread.h>
  41 #include <linux/slab.h>
  42
  43 #include <net/sock.h>
  44 #include <linux/uaccess.h>
  45 #include <asm/unaligned.h>
  46
  47 #include <net/bluetooth/bluetooth.h>
  48 #include <net/bluetooth/hci_core.h>
  49 #include <net/bluetooth/l2cap.h>
  50 #include <net/bluetooth/rfcomm.h>
  51
  52 #define VERSION "1.11"
  53
  54 static int disable_cfc;
  55 static int l2cap_ertm;
  56 static int channel_mtu = -1;
  57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
  58
  59 static struct task_struct *rfcomm_thread;
  60
  61 static DEFINE_MUTEX(rfcomm_mutex);
  62 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
  63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
  64
  65 static unsigned long rfcomm_event;
  66
  67 static LIST_HEAD(session_list);
  68
  69 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
  70 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
  71 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
  72 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
  73 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
  74 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
  75 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
  76 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
  77 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
  78 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
  79
  80 static void rfcomm_process_connect(struct rfcomm_session *s);
  81
  82 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
  83                                                         bdaddr_t *dst,
  84                                                         u8 sec_level,
  85                                                         int *err);
  86 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
  87 static void rfcomm_session_del(struct rfcomm_session *s);
  88
  89 /* ---- RFCOMM frame parsing macros ---- */
  90 #define __get_dlci(b)     ((b & 0xfc) >> 2)
  91 #define __get_channel(b)  ((b & 0xf8) >> 3)
  92 #define __get_dir(b)      ((b & 0x04) >> 2)
  93 #define __get_type(b)     ((b & 0xef))
  94
  95 #define __test_ea(b)      ((b & 0x01))
  96 #define __test_cr(b)      ((b & 0x02))
  97 #define __test_pf(b)      ((b & 0x10))
  98
  99 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
 100 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
 101 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
 102 #define __srv_channel(dlci)    (dlci >> 1)
 103 #define __dir(dlci)            (dlci & 0x01)
 104
 105 #define __len8(len)       (((len) << 1) | 1)
 106 #define __len16(len)      ((len) << 1)
 107
 108 /* MCC macros */
 109 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
 110 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
 111 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
 112
 113 /* RPN macros */
 114 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
 115 #define __get_rpn_data_bits(line) ((line) & 0x3)
 116 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
 117 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
 118
 119 static inline void rfcomm_schedule(void)
 120 {
 121         if (!rfcomm_thread)
 122                 return;
 123         set_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
 124         wake_up_process(rfcomm_thread);
 125 }
 126
 127 static inline void rfcomm_session_put(struct rfcomm_session *s)
 128 {
 129         if (atomic_dec_and_test(&s->refcnt))
 130                 rfcomm_session_del(s);
 131 }
 132
 133 /* ---- RFCOMM FCS computation ---- */
 134
 135 /* reversed, 8-bit, poly=0x07 */
 136 static unsigned char rfcomm_crc_table[256] = {
 137         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
 138         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
 139         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
 140         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
 141
 142         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
 143         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
 144         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
 145         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
 146
 147         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
 148         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
 149         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
 150         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
 151
 152         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
 153         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
 154         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
 155         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
 156
 157         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
 158         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
 159         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
 160         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
 161
 162         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
 163         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
 164         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
 165         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
 166
 167         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
 168         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
 169         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
 170         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
 171
 172         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
 173         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
 174         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
 175         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
 176 };
 177
 178 /* CRC on 2 bytes */
 179 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
 180
 181 /* FCS on 2 bytes */
 182 static inline u8 __fcs(u8 *data)
 183 {
 184         return 0xff - __crc(data);
 185 }
 186
 187 /* FCS on 3 bytes */
 188 static inline u8 __fcs2(u8 *data)
 189 {
 190         return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
 191 }
 192
 193 /* Check FCS */
 194 static inline int __check_fcs(u8 *data, int type, u8 fcs)
 195 {
 196         u8 f = __crc(data);
 197
 198         if (type != RFCOMM_UIH)
 199                 f = rfcomm_crc_table[f ^ data[2]];
 200
 201         return rfcomm_crc_table[f ^ fcs] != 0xcf;
 202 }
 203
 204 /* ---- L2CAP callbacks ---- */
 205 static void rfcomm_l2state_change(struct sock *sk)
 206 {
 207         BT_DBG("%p state %d", sk, sk->sk_state);
 208         rfcomm_schedule();
 209 }
 210
 211 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
 212 {
 213         BT_DBG("%p bytes %d", sk, bytes);
 214         rfcomm_schedule();
 215 }
 216
 217 static int rfcomm_l2sock_create(struct socket **sock)
 218 {
 219         int err;
 220
 221         BT_DBG("");
 222
 223         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
 224         if (!err) {
 225                 struct sock *sk = (*sock)->sk;
 226                 sk->sk_data_ready   = rfcomm_l2data_ready;
 227                 sk->sk_state_change = rfcomm_l2state_change;
 228         }
 229         return err;
 230 }
 231
 232 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
 233 {
 234         struct sock *sk = d->session->sock->sk;
 235         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
 236
 237         __u8 auth_type;
 238
 239         switch (d->sec_level) {
 240         case BT_SECURITY_HIGH:
 241                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
 242                 break;
 243         case BT_SECURITY_MEDIUM:
 244                 auth_type = HCI_AT_GENERAL_BONDING;
 245                 break;
 246         default:
 247                 auth_type = HCI_AT_NO_BONDING;
 248                 break;
 249         }
 250
 251         return hci_conn_security(conn->hcon, d->sec_level, auth_type);
 252 }
 253
 254 static void rfcomm_session_timeout(unsigned long arg)
 255 {
 256         struct rfcomm_session *s = (void *) arg;
 257
 258         BT_DBG("session %p state %ld", s, s->state);
 259
 260         set_bit(RFCOMM_TIMED_OUT, &s->flags);
 261         rfcomm_schedule();
 262 }
 263
 264 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
 265 {
 266         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
 267
 268         if (!mod_timer(&s->timer, jiffies + timeout))
 269                 rfcomm_session_hold(s);
 270 }
 271
 272 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
 273 {
 274         BT_DBG("session %p state %ld", s, s->state);
 275
 276         if (timer_pending(&s->timer) && del_timer(&s->timer))
 277                 rfcomm_session_put(s);
 278 }
 279
 280 /* ---- RFCOMM DLCs ---- */
 281 static void rfcomm_dlc_timeout(unsigned long arg)
 282 {
 283         struct rfcomm_dlc *d = (void *) arg;
 284
 285         BT_DBG("dlc %p state %ld", d, d->state);
 286
 287         set_bit(RFCOMM_TIMED_OUT, &d->flags);
 288         rfcomm_dlc_put(d);
 289         rfcomm_schedule();
 290 }
 291
 292 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
 293 {
 294         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
 295
 296         if (!mod_timer(&d->timer, jiffies + timeout))
 297                 rfcomm_dlc_hold(d);
 298 }
 299
 300 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
 301 {
 302         BT_DBG("dlc %p state %ld", d, d->state);
 303
 304         if (timer_pending(&d->timer) && del_timer(&d->timer))
 305                 rfcomm_dlc_put(d);
 306 }
 307
 308 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
 309 {
 310         BT_DBG("%p", d);
 311
 312         d->state      = BT_OPEN;
 313         d->flags      = 0;
 314         d->mscex      = 0;
 315         d->sec_level  = BT_SECURITY_LOW;
 316         d->mtu        = RFCOMM_DEFAULT_MTU;
 317         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
 318
 319         d->cfc        = RFCOMM_CFC_DISABLED;
 320         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
 321 }
 322
 323 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
 324 {
 325         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
 326
 327         if (!d)
 328                 return NULL;
 329
 330         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
 331
 332         skb_queue_head_init(&d->tx_queue);
 333         spin_lock_init(&d->lock);
 334         atomic_set(&d->refcnt, 1);
 335
 336         rfcomm_dlc_clear_state(d);
 337
 338         BT_DBG("%p", d);
 339
 340         return d;
 341 }
 342
 343 void rfcomm_dlc_free(struct rfcomm_dlc *d)
 344 {
 345         BT_DBG("%p", d);
 346
 347         skb_queue_purge(&d->tx_queue);
 348         kfree(d);
 349 }
 350
 351 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
 352 {
 353         BT_DBG("dlc %p session %p", d, s);
 354
 355         rfcomm_session_hold(s);
 356
 357         rfcomm_session_clear_timer(s);
 358         rfcomm_dlc_hold(d);
 359         list_add(&d->list, &s->dlcs);
 360         d->session = s;
 361 }
 362
 363 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
 364 {
 365         struct rfcomm_session *s = d->session;
 366
 367         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
 368
 369         list_del(&d->list);
 370         d->session = NULL;
 371         rfcomm_dlc_put(d);
 372
 373         if (list_empty(&s->dlcs))
 374                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
 375
 376         rfcomm_session_put(s);
 377 }
 378
 379 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
 380 {
 381         struct rfcomm_dlc *d;
 382         struct list_head *p;
 383
 384         list_for_each(p, &s->dlcs) {
 385                 d = list_entry(p, struct rfcomm_dlc, list);
 386                 if (d->dlci == dlci)
 387                         return d;
 388         }
 389         return NULL;
 390 }
 391
 392 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
 393 {
 394         struct rfcomm_session *s;
 395         int err = 0;
 396         u8 dlci;
 397
 398         BT_DBG("dlc %p state %ld %s %s channel %d",
 399                         d, d->state, batostr(src), batostr(dst), channel);
 400
 401         if (channel < 1 || channel > 30)
 402                 return -EINVAL;
 403
 404         if (d->state != BT_OPEN && d->state != BT_CLOSED)
 405                 return 0;
 406
 407         s = rfcomm_session_get(src, dst);
 408         if (!s) {
 409                 s = rfcomm_session_create(src, dst, d->sec_level, &err);
 410                 if (!s)
 411                         return err;
 412         }
 413
 414         dlci = __dlci(!s->initiator, channel);
 415
 416         /* Check if DLCI already exists */
 417         if (rfcomm_dlc_get(s, dlci))
 418                 return -EBUSY;
 419
 420         rfcomm_dlc_clear_state(d);
 421
 422         d->dlci     = dlci;
 423         d->addr     = __addr(s->initiator, dlci);
 424         d->priority = 7;
 425
 426         d->state = BT_CONFIG;
 427         rfcomm_dlc_link(s, d);
 428
 429         d->out = 1;
 430
 431         d->mtu = s->mtu;
 432         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
 433
 434         if (s->state == BT_CONNECTED) {
 435                 if (rfcomm_check_security(d))
 436                         rfcomm_send_pn(s, 1, d);
 437                 else
 438                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
 439         }
 440
 441         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
 442
 443         return 0;
 444 }
 445
 446 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
 447 {
 448         int r;
 449
 450         rfcomm_lock();
 451
 452         r = __rfcomm_dlc_open(d, src, dst, channel);
 453
 454         rfcomm_unlock();
 455         return r;
 456 }
 457
 458 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 459 {
 460         struct rfcomm_session *s = d->session;
 461         if (!s)
 462                 return 0;
 463
 464         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
 465                         d, d->state, d->dlci, err, s);
 466
 467         switch (d->state) {
 468         case BT_CONNECT:
 469         case BT_CONFIG:
 470                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
 471                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
 472                         rfcomm_schedule();
 473                         break;
 474                 }
 475                 /* Fall through */
 476
 477         case BT_CONNECTED:
 478                 d->state = BT_DISCONN;
 479                 if (skb_queue_empty(&d->tx_queue)) {
 480                         rfcomm_send_disc(s, d->dlci);
 481                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
 482                 } else {
 483                         rfcomm_queue_disc(d);
 484                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
 485                 }
 486                 break;
 487
 488         case BT_OPEN:
 489         case BT_CONNECT2:
 490                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
 491                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
 492                         rfcomm_schedule();
 493                         break;
 494                 }
 495                 /* Fall through */
 496
 497         default:
 498                 rfcomm_dlc_clear_timer(d);
 499
 500                 rfcomm_dlc_lock(d);
 501                 d->state = BT_CLOSED;
 502                 d->state_change(d, err);
 503                 rfcomm_dlc_unlock(d);
 504
 505                 skb_queue_purge(&d->tx_queue);
 506                 rfcomm_dlc_unlink(d);
 507         }
 508
 509         return 0;
 510 }
 511
 512 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 513 {
 514         int r;
 515
 516         rfcomm_lock();
 517
 518         r = __rfcomm_dlc_close(d, err);
 519
 520         rfcomm_unlock();
 521         return r;
 522 }
 523
 524 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
 525 {
 526         int len = skb->len;
 527
 528         if (d->state != BT_CONNECTED)
 529                 return -ENOTCONN;
 530
 531         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
 532
 533         if (len > d->mtu)
 534                 return -EINVAL;
 535
 536         rfcomm_make_uih(skb, d->addr);
 537         skb_queue_tail(&d->tx_queue, skb);
 538
 539         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
 540                 rfcomm_schedule();
 541         return len;
 542 }
 543
 544 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
 545 {
 546         BT_DBG("dlc %p state %ld", d, d->state);
 547
 548         if (!d->cfc) {
 549                 d->v24_sig |= RFCOMM_V24_FC;
 550                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
 551         }
 552         rfcomm_schedule();
 553 }
 554
 555 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
 556 {
 557         BT_DBG("dlc %p state %ld", d, d->state);
 558
 559         if (!d->cfc) {
 560                 d->v24_sig &= ~RFCOMM_V24_FC;
 561                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
 562         }
 563         rfcomm_schedule();
 564 }
 565
 566 /*
 567    Set/get modem status functions use _local_ status i.e. what we report
 568    to the other side.
 569    Remote status is provided by dlc->modem_status() callback.
 570  */
 571 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
 572 {
 573         BT_DBG("dlc %p state %ld v24_sig 0x%x",
 574                         d, d->state, v24_sig);
 575
 576         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
 577                 v24_sig |= RFCOMM_V24_FC;
 578         else
 579                 v24_sig &= ~RFCOMM_V24_FC;
 580
 581         d->v24_sig = v24_sig;
 582
 583         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
 584                 rfcomm_schedule();
 585
 586         return 0;
 587 }
 588
 589 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
 590 {
 591         BT_DBG("dlc %p state %ld v24_sig 0x%x",
 592                         d, d->state, d->v24_sig);
 593
 594         *v24_sig = d->v24_sig;
 595         return 0;
 596 }
 597
 598 /* ---- RFCOMM sessions ---- */
 599 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
 600 {
 601         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
 602
 603         if (!s)
 604                 return NULL;
 605
 606         BT_DBG("session %p sock %p", s, sock);
 607
 608         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
 609
 610         INIT_LIST_HEAD(&s->dlcs);
 611         s->state = state;
 612         s->sock  = sock;
 613
 614         s->mtu = RFCOMM_DEFAULT_MTU;
 615         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
 616
 617         /* Do not increment module usage count for listening sessions.
 618          * Otherwise we won't be able to unload the module. */
 619         if (state != BT_LISTEN)
 620                 if (!try_module_get(THIS_MODULE)) {
 621                         kfree(s);
 622                         return NULL;
 623                 }
 624
 625         list_add(&s->list, &session_list);
 626
 627         return s;
 628 }
 629
 630 static void rfcomm_session_del(struct rfcomm_session *s)
 631 {
 632         int state = s->state;
 633
 634         BT_DBG("session %p state %ld", s, s->state);
 635
 636         list_del(&s->list);
 637
 638         if (state == BT_CONNECTED)
 639                 rfcomm_send_disc(s, 0);
 640
 641         rfcomm_session_clear_timer(s);
 642         sock_release(s->sock);
 643         kfree(s);
 644
 645         if (state != BT_LISTEN)
 646                 module_put(THIS_MODULE);
 647 }
 648
 649 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
 650 {
 651         struct rfcomm_session *s;
 652         struct list_head *p, *n;
 653         struct bt_sock *sk;
 654         list_for_each_safe(p, n, &session_list) {
 655                 s = list_entry(p, struct rfcomm_session, list);
 656                 sk = bt_sk(s->sock->sk);
 657
 658                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
 659                                 !bacmp(&sk->dst, dst))
 660                         return s;
 661         }
 662         return NULL;
 663 }
 664
 665 static void rfcomm_session_close(struct rfcomm_session *s, int err)
 666 {
 667         struct rfcomm_dlc *d;
 668         struct list_head *p, *n;
 669
 670         BT_DBG("session %p state %ld err %d", s, s->state, err);
 671
 672         rfcomm_session_hold(s);
 673
 674         s->state = BT_CLOSED;
 675
 676         /* Close all dlcs */
 677         list_for_each_safe(p, n, &s->dlcs) {
 678                 d = list_entry(p, struct rfcomm_dlc, list);
 679                 d->state = BT_CLOSED;
 680                 __rfcomm_dlc_close(d, err);
 681         }
 682
 683         rfcomm_session_clear_timer(s);
 684         rfcomm_session_put(s);
 685 }
 686
 687 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
 688                                                         bdaddr_t *dst,
 689                                                         u8 sec_level,
 690                                                         int *err)
 691 {
 692         struct rfcomm_session *s = NULL;
 693         struct sockaddr_l2 addr;
 694         struct socket *sock;
 695         struct sock *sk;
 696
 697         BT_DBG("%s %s", batostr(src), batostr(dst));
 698
 699         *err = rfcomm_l2sock_create(&sock);
 700         if (*err < 0)
 701                 return NULL;
 702
 703         bacpy(&addr.l2_bdaddr, src);
 704         addr.l2_family = AF_BLUETOOTH;
 705         addr.l2_psm    = 0;
 706         addr.l2_cid    = 0;
 707         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
 708         if (*err < 0)
 709                 goto failed;
 710
 711         /* Set L2CAP options */
 712         sk = sock->sk;
 713         lock_sock(sk);
 714         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
 715         l2cap_pi(sk)->chan->sec_level = sec_level;
 716         if (l2cap_ertm)
 717                 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
 718         release_sock(sk);
 719
 720         s = rfcomm_session_add(sock, BT_BOUND);
 721         if (!s) {
 722                 *err = -ENOMEM;
 723                 goto failed;
 724         }
 725
 726         s->initiator = 1;
 727
 728         bacpy(&addr.l2_bdaddr, dst);
 729         addr.l2_family = AF_BLUETOOTH;
 730         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
 731         addr.l2_cid    = 0;
 732         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
 733         if (*err == 0 || *err == -EINPROGRESS)
 734                 return s;
 735
 736         rfcomm_session_del(s);
 737         return NULL;
 738
 739 failed:
 740         sock_release(sock);
 741         return NULL;
 742 }
 743
 744 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
 745 {
 746         struct sock *sk = s->sock->sk;
 747         if (src)
 748                 bacpy(src, &bt_sk(sk)->src);
 749         if (dst)
 750                 bacpy(dst, &bt_sk(sk)->dst);
 751 }
 752
 753 /* ---- RFCOMM frame sending ---- */
 754 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
 755 {
 756         struct socket *sock = s->sock;
 757         struct kvec iv = { data, len };
 758         struct msghdr msg;
 759
 760         BT_DBG("session %p len %d", s, len);
 761
 762         memset(&msg, 0, sizeof(msg));
 763
 764         return kernel_sendmsg(sock, &msg, &iv, 1, len);
 765 }
 766
 767 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
 768 {
 769         struct rfcomm_cmd cmd;
 770
 771         BT_DBG("%p dlci %d", s, dlci);
 772
 773         cmd.addr = __addr(s->initiator, dlci);
 774         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
 775         cmd.len  = __len8(0);
 776         cmd.fcs  = __fcs2((u8 *) &cmd);
 777
 778         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
 779 }
 780
 781 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
 782 {
 783         struct rfcomm_cmd cmd;
 784
 785         BT_DBG("%p dlci %d", s, dlci);
 786
 787         cmd.addr = __addr(!s->initiator, dlci);
 788         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
 789         cmd.len  = __len8(0);
 790         cmd.fcs  = __fcs2((u8 *) &cmd);
 791
 792         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
 793 }
 794
 795 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
 796 {
 797         struct rfcomm_cmd cmd;
 798
 799         BT_DBG("%p dlci %d", s, dlci);
 800
 801         cmd.addr = __addr(s->initiator, dlci);
 802         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
 803         cmd.len  = __len8(0);
 804         cmd.fcs  = __fcs2((u8 *) &cmd);
 805
 806         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
 807 }
 808
 809 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
 810 {
 811         struct rfcomm_cmd *cmd;
 812         struct sk_buff *skb;
 813
 814         BT_DBG("dlc %p dlci %d", d, d->dlci);
 815
 816         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
 817         if (!skb)
 818                 return -ENOMEM;
 819
 820         cmd = (void *) __skb_put(skb, sizeof(*cmd));
 821         cmd->addr = d->addr;
 822         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
 823         cmd->len  = __len8(0);
 824         cmd->fcs  = __fcs2((u8 *) cmd);
 825
 826         skb_queue_tail(&d->tx_queue, skb);
 827         rfcomm_schedule();
 828         return 0;
 829 }
 830
 831 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
 832 {
 833         struct rfcomm_cmd cmd;
 834
 835         BT_DBG("%p dlci %d", s, dlci);
 836
 837         cmd.addr = __addr(!s->initiator, dlci);
 838         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
 839         cmd.len  = __len8(0);
 840         cmd.fcs  = __fcs2((u8 *) &cmd);
 841
 842         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
 843 }
 844
 845 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
 846 {
 847         struct rfcomm_hdr *hdr;
 848         struct rfcomm_mcc *mcc;
 849         u8 buf[16], *ptr = buf;
 850
 851         BT_DBG("%p cr %d type %d", s, cr, type);
 852
 853         hdr = (void *) ptr; ptr += sizeof(*hdr);
 854         hdr->addr = __addr(s->initiator, 0);
 855         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 856         hdr->len  = __len8(sizeof(*mcc) + 1);
 857
 858         mcc = (void *) ptr; ptr += sizeof(*mcc);
 859         mcc->type = __mcc_type(cr, RFCOMM_NSC);
 860         mcc->len  = __len8(1);
 861
 862         /* Type that we didn't like */
 863         *ptr = __mcc_type(cr, type); ptr++;
 864
 865         *ptr = __fcs(buf); ptr++;
 866
 867         return rfcomm_send_frame(s, buf, ptr - buf);
 868 }
 869
 870 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
 871 {
 872         struct rfcomm_hdr *hdr;
 873         struct rfcomm_mcc *mcc;
 874         struct rfcomm_pn  *pn;
 875         u8 buf[16], *ptr = buf;
 876
 877         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
 878
 879         hdr = (void *) ptr; ptr += sizeof(*hdr);
 880         hdr->addr = __addr(s->initiator, 0);
 881         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 882         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
 883
 884         mcc = (void *) ptr; ptr += sizeof(*mcc);
 885         mcc->type = __mcc_type(cr, RFCOMM_PN);
 886         mcc->len  = __len8(sizeof(*pn));
 887
 888         pn = (void *) ptr; ptr += sizeof(*pn);
 889         pn->dlci        = d->dlci;
 890         pn->priority    = d->priority;
 891         pn->ack_timer   = 0;
 892         pn->max_retrans = 0;
 893
 894         if (s->cfc) {
 895                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
 896                 pn->credits = RFCOMM_DEFAULT_CREDITS;
 897         } else {
 898                 pn->flow_ctrl = 0;
 899                 pn->credits   = 0;
 900         }
 901
 902         if (cr && channel_mtu >= 0)
 903                 pn->mtu = cpu_to_le16(channel_mtu);
 904         else
 905                 pn->mtu = cpu_to_le16(d->mtu);
 906
 907         *ptr = __fcs(buf); ptr++;
 908
 909         return rfcomm_send_frame(s, buf, ptr - buf);
 910 }
 911
 912 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
 913                         u8 bit_rate, u8 data_bits, u8 stop_bits,
 914                         u8 parity, u8 flow_ctrl_settings,
 915                         u8 xon_char, u8 xoff_char, u16 param_mask)
 916 {
 917         struct rfcomm_hdr *hdr;
 918         struct rfcomm_mcc *mcc;
 919         struct rfcomm_rpn *rpn;
 920         u8 buf[16], *ptr = buf;
 921
 922         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
 923                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
 924                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
 925                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
 926
 927         hdr = (void *) ptr; ptr += sizeof(*hdr);
 928         hdr->addr = __addr(s->initiator, 0);
 929         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 930         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
 931
 932         mcc = (void *) ptr; ptr += sizeof(*mcc);
 933         mcc->type = __mcc_type(cr, RFCOMM_RPN);
 934         mcc->len  = __len8(sizeof(*rpn));
 935
 936         rpn = (void *) ptr; ptr += sizeof(*rpn);
 937         rpn->dlci          = __addr(1, dlci);
 938         rpn->bit_rate      = bit_rate;
 939         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
 940         rpn->flow_ctrl     = flow_ctrl_settings;
 941         rpn->xon_char      = xon_char;
 942         rpn->xoff_char     = xoff_char;
 943         rpn->param_mask    = cpu_to_le16(param_mask);
 944
 945         *ptr = __fcs(buf); ptr++;
 946
 947         return rfcomm_send_frame(s, buf, ptr - buf);
 948 }
 949
 950 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
 951 {
 952         struct rfcomm_hdr *hdr;
 953         struct rfcomm_mcc *mcc;
 954         struct rfcomm_rls *rls;
 955         u8 buf[16], *ptr = buf;
 956
 957         BT_DBG("%p cr %d status 0x%x", s, cr, status);
 958
 959         hdr = (void *) ptr; ptr += sizeof(*hdr);
 960         hdr->addr = __addr(s->initiator, 0);
 961         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 962         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
 963
 964         mcc = (void *) ptr; ptr += sizeof(*mcc);
 965         mcc->type = __mcc_type(cr, RFCOMM_RLS);
 966         mcc->len  = __len8(sizeof(*rls));
 967
 968         rls = (void *) ptr; ptr += sizeof(*rls);
 969         rls->dlci   = __addr(1, dlci);
 970         rls->status = status;
 971
 972         *ptr = __fcs(buf); ptr++;
 973
 974         return rfcomm_send_frame(s, buf, ptr - buf);
 975 }
 976
 977 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
 978 {
 979         struct rfcomm_hdr *hdr;
 980         struct rfcomm_mcc *mcc;
 981         struct rfcomm_msc *msc;
 982         u8 buf[16], *ptr = buf;
 983
 984         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
 985
 986         hdr = (void *) ptr; ptr += sizeof(*hdr);
 987         hdr->addr = __addr(s->initiator, 0);
 988         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 989         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
 990
 991         mcc = (void *) ptr; ptr += sizeof(*mcc);
 992         mcc->type = __mcc_type(cr, RFCOMM_MSC);
 993         mcc->len  = __len8(sizeof(*msc));
 994
 995         msc = (void *) ptr; ptr += sizeof(*msc);
 996         msc->dlci    = __addr(1, dlci);
 997         msc->v24_sig = v24_sig | 0x01;
 998
 999         *ptr = __fcs(buf); ptr++;
1000
1001         return rfcomm_send_frame(s, buf, ptr - buf);
1002 }
1003
1004 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1005 {
1006         struct rfcomm_hdr *hdr;
1007         struct rfcomm_mcc *mcc;
1008         u8 buf[16], *ptr = buf;
1009
1010         BT_DBG("%p cr %d", s, cr);
1011
1012         hdr = (void *) ptr; ptr += sizeof(*hdr);
1013         hdr->addr = __addr(s->initiator, 0);
1014         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1015         hdr->len  = __len8(sizeof(*mcc));
1016
1017         mcc = (void *) ptr; ptr += sizeof(*mcc);
1018         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1019         mcc->len  = __len8(0);
1020
1021         *ptr = __fcs(buf); ptr++;
1022
1023         return rfcomm_send_frame(s, buf, ptr - buf);
1024 }
1025
1026 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1027 {
1028         struct rfcomm_hdr *hdr;
1029         struct rfcomm_mcc *mcc;
1030         u8 buf[16], *ptr = buf;
1031
1032         BT_DBG("%p cr %d", s, cr);
1033
1034         hdr = (void *) ptr; ptr += sizeof(*hdr);
1035         hdr->addr = __addr(s->initiator, 0);
1036         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1037         hdr->len  = __len8(sizeof(*mcc));
1038
1039         mcc = (void *) ptr; ptr += sizeof(*mcc);
1040         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1041         mcc->len  = __len8(0);
1042
1043         *ptr = __fcs(buf); ptr++;
1044
1045         return rfcomm_send_frame(s, buf, ptr - buf);
1046 }
1047
1048 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1049 {
1050         struct socket *sock = s->sock;
1051         struct kvec iv[3];
1052         struct msghdr msg;
1053         unsigned char hdr[5], crc[1];
1054
1055         if (len > 125)
1056                 return -EINVAL;
1057
1058         BT_DBG("%p cr %d", s, cr);
1059
1060         hdr[0] = __addr(s->initiator, 0);
1061         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1062         hdr[2] = 0x01 | ((len + 2) << 1);
1063         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1064         hdr[4] = 0x01 | (len << 1);
1065
1066         crc[0] = __fcs(hdr);
1067
1068         iv[0].iov_base = hdr;
1069         iv[0].iov_len  = 5;
1070         iv[1].iov_base = pattern;
1071         iv[1].iov_len  = len;
1072         iv[2].iov_base = crc;
1073         iv[2].iov_len  = 1;
1074
1075         memset(&msg, 0, sizeof(msg));
1076
1077         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1078 }
1079
1080 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1081 {
1082         struct rfcomm_hdr *hdr;
1083         u8 buf[16], *ptr = buf;
1084
1085         BT_DBG("%p addr %d credits %d", s, addr, credits);
1086
1087         hdr = (void *) ptr; ptr += sizeof(*hdr);
1088         hdr->addr = addr;
1089         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1090         hdr->len  = __len8(0);
1091
1092         *ptr = credits; ptr++;
1093
1094         *ptr = __fcs(buf); ptr++;
1095
1096         return rfcomm_send_frame(s, buf, ptr - buf);
1097 }
1098
1099 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1100 {
1101         struct rfcomm_hdr *hdr;
1102         int len = skb->len;
1103         u8 *crc;
1104
1105         if (len > 127) {
1106                 hdr = (void *) skb_push(skb, 4);
1107                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1108         } else {
1109                 hdr = (void *) skb_push(skb, 3);
1110                 hdr->len = __len8(len);
1111         }
1112         hdr->addr = addr;
1113         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1114
1115         crc = skb_put(skb, 1);
1116         *crc = __fcs((void *) hdr);
1117 }
1118
1119 /* ---- RFCOMM frame reception ---- */
1120 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1121 {
1122         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1123
1124         if (dlci) {
1125                 /* Data channel */
1126                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1127                 if (!d) {
1128                         rfcomm_send_dm(s, dlci);
1129                         return 0;
1130                 }
1131
1132                 switch (d->state) {
1133                 case BT_CONNECT:
1134                         rfcomm_dlc_clear_timer(d);
1135
1136                         rfcomm_dlc_lock(d);
1137                         d->state = BT_CONNECTED;
1138                         d->state_change(d, 0);
1139                         rfcomm_dlc_unlock(d);
1140
1141                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1142                         break;
1143
1144                 case BT_DISCONN:
1145                         d->state = BT_CLOSED;
1146                         __rfcomm_dlc_close(d, 0);
1147
1148                         if (list_empty(&s->dlcs)) {
1149                                 s->state = BT_DISCONN;
1150                                 rfcomm_send_disc(s, 0);
1151                         }
1152
1153                         break;
1154                 }
1155         } else {
1156                 /* Control channel */
1157                 switch (s->state) {
1158                 case BT_CONNECT:
1159                         s->state = BT_CONNECTED;
1160                         rfcomm_process_connect(s);
1161                         break;
1162
1163                 case BT_DISCONN:
1164                         /* When socket is closed and we are not RFCOMM
1165                          * initiator rfcomm_process_rx already calls
1166                          * rfcomm_session_put() */
1167                         if (s->sock->sk->sk_state != BT_CLOSED)
1168                                 if (list_empty(&s->dlcs))
1169                                         rfcomm_session_put(s);
1170                         break;
1171                 }
1172         }
1173         return 0;
1174 }
1175
1176 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1177 {
1178         int err = 0;
1179
1180         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1181
1182         if (dlci) {
1183                 /* Data DLC */
1184                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1185                 if (d) {
1186                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1187                                 err = ECONNREFUSED;
1188                         else
1189                                 err = ECONNRESET;
1190
1191                         d->state = BT_CLOSED;
1192                         __rfcomm_dlc_close(d, err);
1193                 }
1194         } else {
1195                 if (s->state == BT_CONNECT)
1196                         err = ECONNREFUSED;
1197                 else
1198                         err = ECONNRESET;
1199
1200                 s->state = BT_CLOSED;
1201                 rfcomm_session_close(s, err);
1202         }
1203         return 0;
1204 }
1205
1206 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1207 {
1208         int err = 0;
1209
1210         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1211
1212         if (dlci) {
1213                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1214                 if (d) {
1215                         rfcomm_send_ua(s, dlci);
1216
1217                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1218                                 err = ECONNREFUSED;
1219                         else
1220                                 err = ECONNRESET;
1221
1222                         d->state = BT_CLOSED;
1223                         __rfcomm_dlc_close(d, err);
1224                 } else
1225                         rfcomm_send_dm(s, dlci);
1226
1227         } else {
1228                 rfcomm_send_ua(s, 0);
1229
1230                 if (s->state == BT_CONNECT)
1231                         err = ECONNREFUSED;
1232                 else
1233                         err = ECONNRESET;
1234
1235                 s->state = BT_CLOSED;
1236                 rfcomm_session_close(s, err);
1237         }
1238
1239         return 0;
1240 }
1241
1242 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1243 {
1244         struct sock *sk = d->session->sock->sk;
1245         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1246
1247         BT_DBG("dlc %p", d);
1248
1249         rfcomm_send_ua(d->session, d->dlci);
1250
1251         rfcomm_dlc_clear_timer(d);
1252
1253         rfcomm_dlc_lock(d);
1254         d->state = BT_CONNECTED;
1255         d->state_change(d, 0);
1256         rfcomm_dlc_unlock(d);
1257
1258         if (d->role_switch)
1259                 hci_conn_switch_role(conn->hcon, 0x00);
1260
1261         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1262 }
1263
1264 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1265 {
1266         if (rfcomm_check_security(d)) {
1267                 if (d->defer_setup) {
1268                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1269                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1270
1271                         rfcomm_dlc_lock(d);
1272                         d->state = BT_CONNECT2;
1273                         d->state_change(d, 0);
1274                         rfcomm_dlc_unlock(d);
1275                 } else
1276                         rfcomm_dlc_accept(d);
1277         } else {
1278                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1279                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1280         }
1281 }
1282
1283 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1284 {
1285         struct rfcomm_dlc *d;
1286         u8 channel;
1287
1288         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1289
1290         if (!dlci) {
1291                 rfcomm_send_ua(s, 0);
1292
1293                 if (s->state == BT_OPEN) {
1294                         s->state = BT_CONNECTED;
1295                         rfcomm_process_connect(s);
1296                 }
1297                 return 0;
1298         }
1299
1300         /* Check if DLC exists */
1301         d = rfcomm_dlc_get(s, dlci);
1302         if (d) {
1303                 if (d->state == BT_OPEN) {
1304                         /* DLC was previously opened by PN request */
1305                         rfcomm_check_accept(d);
1306                 }
1307                 return 0;
1308         }
1309
1310         /* Notify socket layer about incoming connection */
1311         channel = __srv_channel(dlci);
1312         if (rfcomm_connect_ind(s, channel, &d)) {
1313                 d->dlci = dlci;
1314                 d->addr = __addr(s->initiator, dlci);
1315                 rfcomm_dlc_link(s, d);
1316
1317                 rfcomm_check_accept(d);
1318         } else {
1319                 rfcomm_send_dm(s, dlci);
1320         }
1321
1322         return 0;
1323 }
1324
1325 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1326 {
1327         struct rfcomm_session *s = d->session;
1328
1329         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1330                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1331
1332         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1333                                                 pn->flow_ctrl == 0xe0) {
1334                 d->cfc = RFCOMM_CFC_ENABLED;
1335                 d->tx_credits = pn->credits;
1336         } else {
1337                 d->cfc = RFCOMM_CFC_DISABLED;
1338                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1339         }
1340
1341         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1342                 s->cfc = d->cfc;
1343
1344         d->priority = pn->priority;
1345
1346         d->mtu = __le16_to_cpu(pn->mtu);
1347
1348         if (cr && d->mtu > s->mtu)
1349                 d->mtu = s->mtu;
1350
1351         return 0;
1352 }
1353
1354 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1355 {
1356         struct rfcomm_pn *pn = (void *) skb->data;
1357         struct rfcomm_dlc *d;
1358         u8 dlci = pn->dlci;
1359
1360         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1361
1362         if (!dlci)
1363                 return 0;
1364
1365         d = rfcomm_dlc_get(s, dlci);
1366         if (d) {
1367                 if (cr) {
1368                         /* PN request */
1369                         rfcomm_apply_pn(d, cr, pn);
1370                         rfcomm_send_pn(s, 0, d);
1371                 } else {
1372                         /* PN response */
1373                         switch (d->state) {
1374                         case BT_CONFIG:
1375                                 rfcomm_apply_pn(d, cr, pn);
1376
1377                                 d->state = BT_CONNECT;
1378                                 rfcomm_send_sabm(s, d->dlci);
1379                                 break;
1380                         }
1381                 }
1382         } else {
1383                 u8 channel = __srv_channel(dlci);
1384
1385                 if (!cr)
1386                         return 0;
1387
1388                 /* PN request for non existing DLC.
1389                  * Assume incoming connection. */
1390                 if (rfcomm_connect_ind(s, channel, &d)) {
1391                         d->dlci = dlci;
1392                         d->addr = __addr(s->initiator, dlci);
1393                         rfcomm_dlc_link(s, d);
1394
1395                         rfcomm_apply_pn(d, cr, pn);
1396
1397                         d->state = BT_OPEN;
1398                         rfcomm_send_pn(s, 0, d);
1399                 } else {
1400                         rfcomm_send_dm(s, dlci);
1401                 }
1402         }
1403         return 0;
1404 }
1405
1406 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1407 {
1408         struct rfcomm_rpn *rpn = (void *) skb->data;
1409         u8 dlci = __get_dlci(rpn->dlci);
1410
1411         u8 bit_rate  = 0;
1412         u8 data_bits = 0;
1413         u8 stop_bits = 0;
1414         u8 parity    = 0;
1415         u8 flow_ctrl = 0;
1416         u8 xon_char  = 0;
1417         u8 xoff_char = 0;
1418         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1419
1420         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1421                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1422                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1423
1424         if (!cr)
1425                 return 0;
1426
1427         if (len == 1) {
1428                 /* This is a request, return default (according to ETSI TS 07.10) settings */
1429                 bit_rate  = RFCOMM_RPN_BR_9600;
1430                 data_bits = RFCOMM_RPN_DATA_8;
1431                 stop_bits = RFCOMM_RPN_STOP_1;
1432                 parity    = RFCOMM_RPN_PARITY_NONE;
1433                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1434                 xon_char  = RFCOMM_RPN_XON_CHAR;
1435                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1436                 goto rpn_out;
1437         }
1438
1439         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1440          * no parity, no flow control lines, normal XON/XOFF chars */
1441
1442         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1443                 bit_rate = rpn->bit_rate;
1444                 if (bit_rate > RFCOMM_RPN_BR_230400) {
1445                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1446                         bit_rate = RFCOMM_RPN_BR_9600;
1447                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1448                 }
1449         }
1450
1451         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1452                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1453                 if (data_bits != RFCOMM_RPN_DATA_8) {
1454                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1455                         data_bits = RFCOMM_RPN_DATA_8;
1456                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1457                 }
1458         }
1459
1460         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1461                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1462                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1463                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1464                         stop_bits = RFCOMM_RPN_STOP_1;
1465                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1466                 }
1467         }
1468
1469         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1470                 parity = __get_rpn_parity(rpn->line_settings);
1471                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1472                         BT_DBG("RPN parity mismatch 0x%x", parity);
1473                         parity = RFCOMM_RPN_PARITY_NONE;
1474                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1475                 }
1476         }
1477
1478         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1479                 flow_ctrl = rpn->flow_ctrl;
1480                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1481                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1482                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1483                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1484                 }
1485         }
1486
1487         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1488                 xon_char = rpn->xon_char;
1489                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1490                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1491                         xon_char = RFCOMM_RPN_XON_CHAR;
1492                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1493                 }
1494         }
1495
1496         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1497                 xoff_char = rpn->xoff_char;
1498                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1499                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1500                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1501                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1502                 }
1503         }
1504
1505 rpn_out:
1506         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1507                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1508
1509         return 0;
1510 }
1511
1512 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1513 {
1514         struct rfcomm_rls *rls = (void *) skb->data;
1515         u8 dlci = __get_dlci(rls->dlci);
1516
1517         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1518
1519         if (!cr)
1520                 return 0;
1521
1522         /* We should probably do something with this information here. But
1523          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1524          * mandatory to recognise and respond to RLS */
1525
1526         rfcomm_send_rls(s, 0, dlci, rls->status);
1527
1528         return 0;
1529 }
1530
1531 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1532 {
1533         struct rfcomm_msc *msc = (void *) skb->data;
1534         struct rfcomm_dlc *d;
1535         u8 dlci = __get_dlci(msc->dlci);
1536
1537         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1538
1539         d = rfcomm_dlc_get(s, dlci);
1540         if (!d)
1541                 return 0;
1542
1543         if (cr) {
1544                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1545                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1546                 else
1547                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1548
1549                 rfcomm_dlc_lock(d);
1550
1551                 d->remote_v24_sig = msc->v24_sig;
1552
1553                 if (d->modem_status)
1554                         d->modem_status(d, msc->v24_sig);
1555
1556                 rfcomm_dlc_unlock(d);
1557
1558                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1559
1560                 d->mscex |= RFCOMM_MSCEX_RX;
1561         } else
1562                 d->mscex |= RFCOMM_MSCEX_TX;
1563
1564         return 0;
1565 }
1566
1567 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1568 {
1569         struct rfcomm_mcc *mcc = (void *) skb->data;
1570         u8 type, cr, len;
1571
1572         cr   = __test_cr(mcc->type);
1573         type = __get_mcc_type(mcc->type);
1574         len  = __get_mcc_len(mcc->len);
1575
1576         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1577
1578         skb_pull(skb, 2);
1579
1580         switch (type) {
1581         case RFCOMM_PN:
1582                 rfcomm_recv_pn(s, cr, skb);
1583                 break;
1584
1585         case RFCOMM_RPN:
1586                 rfcomm_recv_rpn(s, cr, len, skb);
1587                 break;
1588
1589         case RFCOMM_RLS:
1590                 rfcomm_recv_rls(s, cr, skb);
1591                 break;
1592
1593         case RFCOMM_MSC:
1594                 rfcomm_recv_msc(s, cr, skb);
1595                 break;
1596
1597         case RFCOMM_FCOFF:
1598                 if (cr) {
1599                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1600                         rfcomm_send_fcoff(s, 0);
1601                 }
1602                 break;
1603
1604         case RFCOMM_FCON:
1605                 if (cr) {
1606                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1607                         rfcomm_send_fcon(s, 0);
1608                 }
1609                 break;
1610
1611         case RFCOMM_TEST:
1612                 if (cr)
1613                         rfcomm_send_test(s, 0, skb->data, skb->len);
1614                 break;
1615
1616         case RFCOMM_NSC:
1617                 break;
1618
1619         default:
1620                 BT_ERR("Unknown control type 0x%02x", type);
1621                 rfcomm_send_nsc(s, cr, type);
1622                 break;
1623         }
1624         return 0;
1625 }
1626
1627 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1628 {
1629         struct rfcomm_dlc *d;
1630
1631         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1632
1633         d = rfcomm_dlc_get(s, dlci);
1634         if (!d) {
1635                 rfcomm_send_dm(s, dlci);
1636                 goto drop;
1637         }
1638
1639         if (pf && d->cfc) {
1640                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1641
1642                 d->tx_credits += credits;
1643                 if (d->tx_credits)
1644                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1645         }
1646
1647         if (skb->len && d->state == BT_CONNECTED) {
1648                 rfcomm_dlc_lock(d);
1649                 d->rx_credits--;
1650                 d->data_ready(d, skb);
1651                 rfcomm_dlc_unlock(d);
1652                 return 0;
1653         }
1654
1655 drop:
1656         kfree_skb(skb);
1657         return 0;
1658 }
1659
1660 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1661 {
1662         struct rfcomm_hdr *hdr = (void *) skb->data;
1663         u8 type, dlci, fcs;
1664
1665         dlci = __get_dlci(hdr->addr);
1666         type = __get_type(hdr->ctrl);
1667
1668         /* Trim FCS */
1669         skb->len--; skb->tail--;
1670         fcs = *(u8 *)skb_tail_pointer(skb);
1671
1672         if (__check_fcs(skb->data, type, fcs)) {
1673                 BT_ERR("bad checksum in packet");
1674                 kfree_skb(skb);
1675                 return -EILSEQ;
1676         }
1677
1678         if (__test_ea(hdr->len))
1679                 skb_pull(skb, 3);
1680         else
1681                 skb_pull(skb, 4);
1682
1683         switch (type) {
1684         case RFCOMM_SABM:
1685                 if (__test_pf(hdr->ctrl))
1686                         rfcomm_recv_sabm(s, dlci);
1687                 break;
1688
1689         case RFCOMM_DISC:
1690                 if (__test_pf(hdr->ctrl))
1691                         rfcomm_recv_disc(s, dlci);
1692                 break;
1693
1694         case RFCOMM_UA:
1695                 if (__test_pf(hdr->ctrl))
1696                         rfcomm_recv_ua(s, dlci);
1697                 break;
1698
1699         case RFCOMM_DM:
1700                 rfcomm_recv_dm(s, dlci);
1701                 break;
1702
1703         case RFCOMM_UIH:
1704                 if (dlci)
1705                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1706
1707                 rfcomm_recv_mcc(s, skb);
1708                 break;
1709
1710         default:
1711                 BT_ERR("Unknown packet type 0x%02x", type);
1712                 break;
1713         }
1714         kfree_skb(skb);
1715         return 0;
1716 }
1717
1718 /* ---- Connection and data processing ---- */
1719
1720 static void rfcomm_process_connect(struct rfcomm_session *s)
1721 {
1722         struct rfcomm_dlc *d;
1723         struct list_head *p, *n;
1724
1725         BT_DBG("session %p state %ld", s, s->state);
1726
1727         list_for_each_safe(p, n, &s->dlcs) {
1728                 d = list_entry(p, struct rfcomm_dlc, list);
1729                 if (d->state == BT_CONFIG) {
1730                         d->mtu = s->mtu;
1731                         if (rfcomm_check_security(d)) {
1732                                 rfcomm_send_pn(s, 1, d);
1733                         } else {
1734                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1735                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1736                         }
1737                 }
1738         }
1739 }
1740
1741 /* Send data queued for the DLC.
1742  * Return number of frames left in the queue.
1743  */
1744 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1745 {
1746         struct sk_buff *skb;
1747         int err;
1748
1749         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1750                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1751
1752         /* Send pending MSC */
1753         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1754                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1755
1756         if (d->cfc) {
1757                 /* CFC enabled.
1758                  * Give them some credits */
1759                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1760                                 d->rx_credits <= (d->cfc >> 2)) {
1761                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1762                         d->rx_credits = d->cfc;
1763                 }
1764         } else {
1765                 /* CFC disabled.
1766                  * Give ourselves some credits */
1767                 d->tx_credits = 5;
1768         }
1769
1770         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1771                 return skb_queue_len(&d->tx_queue);
1772
1773         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1774                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1775                 if (err < 0) {
1776                         skb_queue_head(&d->tx_queue, skb);
1777                         break;
1778                 }
1779                 kfree_skb(skb);
1780                 d->tx_credits--;
1781         }
1782
1783         if (d->cfc && !d->tx_credits) {
1784                 /* We're out of TX credits.
1785                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1786                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1787         }
1788
1789         return skb_queue_len(&d->tx_queue);
1790 }
1791
1792 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1793 {
1794         struct rfcomm_dlc *d;
1795         struct list_head *p, *n;
1796
1797         BT_DBG("session %p state %ld", s, s->state);
1798
1799         list_for_each_safe(p, n, &s->dlcs) {
1800                 d = list_entry(p, struct rfcomm_dlc, list);
1801
1802                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1803                         __rfcomm_dlc_close(d, ETIMEDOUT);
1804                         continue;
1805                 }
1806
1807                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1808                         rfcomm_dlc_clear_timer(d);
1809                         if (d->out) {
1810                                 rfcomm_send_pn(s, 1, d);
1811                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1812                         } else {
1813                                 if (d->defer_setup) {
1814                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1815                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1816
1817                                         rfcomm_dlc_lock(d);
1818                                         d->state = BT_CONNECT2;
1819                                         d->state_change(d, 0);
1820                                         rfcomm_dlc_unlock(d);
1821                                 } else
1822                                         rfcomm_dlc_accept(d);
1823                         }
1824                         continue;
1825                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1826                         rfcomm_dlc_clear_timer(d);
1827                         if (!d->out)
1828                                 rfcomm_send_dm(s, d->dlci);
1829                         else
1830                                 d->state = BT_CLOSED;
1831                         __rfcomm_dlc_close(d, ECONNREFUSED);
1832                         continue;
1833                 }
1834
1835                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1836                         continue;
1837
1838                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1839                         continue;
1840
1841                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1842                                                 d->mscex == RFCOMM_MSCEX_OK)
1843                         rfcomm_process_tx(d);
1844         }
1845 }
1846
1847 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1848 {
1849         struct socket *sock = s->sock;
1850         struct sock *sk = sock->sk;
1851         struct sk_buff *skb;
1852
1853         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1854
1855         /* Get data directly from socket receive queue without copying it. */
1856         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1857                 skb_orphan(skb);
1858                 rfcomm_recv_frame(s, skb);
1859         }
1860
1861         if (sk->sk_state == BT_CLOSED) {
1862                 if (!s->initiator)
1863                         rfcomm_session_put(s);
1864
1865                 rfcomm_session_close(s, sk->sk_err);
1866         }
1867 }
1868
1869 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1870 {
1871         struct socket *sock = s->sock, *nsock;
1872         int err;
1873
1874         /* Fast check for a new connection.
1875          * Avoids unnesesary socket allocations. */
1876         if (list_empty(&bt_sk(sock->sk)->accept_q))
1877                 return;
1878
1879         BT_DBG("session %p", s);
1880
1881         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1882         if (err < 0)
1883                 return;
1884
1885         /* Set our callbacks */
1886         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1887         nsock->sk->sk_state_change = rfcomm_l2state_change;
1888
1889         s = rfcomm_session_add(nsock, BT_OPEN);
1890         if (s) {
1891                 rfcomm_session_hold(s);
1892
1893                 /* We should adjust MTU on incoming sessions.
1894                  * L2CAP MTU minus UIH header and FCS. */
1895                 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1896                                 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1897
1898                 rfcomm_schedule();
1899         } else
1900                 sock_release(nsock);
1901 }
1902
1903 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1904 {
1905         struct sock *sk = s->sock->sk;
1906
1907         BT_DBG("%p state %ld", s, s->state);
1908
1909         switch (sk->sk_state) {
1910         case BT_CONNECTED:
1911                 s->state = BT_CONNECT;
1912
1913                 /* We can adjust MTU on outgoing sessions.
1914                  * L2CAP MTU minus UIH header and FCS. */
1915                 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1916
1917                 rfcomm_send_sabm(s, 0);
1918                 break;
1919
1920         case BT_CLOSED:
1921                 s->state = BT_CLOSED;
1922                 rfcomm_session_close(s, sk->sk_err);
1923                 break;
1924         }
1925 }
1926
1927 static inline void rfcomm_process_sessions(void)
1928 {
1929         struct list_head *p, *n;
1930
1931         rfcomm_lock();
1932
1933         list_for_each_safe(p, n, &session_list) {
1934                 struct rfcomm_session *s;
1935                 s = list_entry(p, struct rfcomm_session, list);
1936
1937                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1938                         s->state = BT_DISCONN;
1939                         rfcomm_send_disc(s, 0);
1940                         rfcomm_session_put(s);
1941                         continue;
1942                 }
1943
1944                 if (s->state == BT_LISTEN) {
1945                         rfcomm_accept_connection(s);
1946                         continue;
1947                 }
1948
1949                 rfcomm_session_hold(s);
1950
1951                 switch (s->state) {
1952                 case BT_BOUND:
1953                         rfcomm_check_connection(s);
1954                         break;
1955
1956                 default:
1957                         rfcomm_process_rx(s);
1958                         break;
1959                 }
1960
1961                 rfcomm_process_dlcs(s);
1962
1963                 rfcomm_session_put(s);
1964         }
1965
1966         rfcomm_unlock();
1967 }
1968
1969 static int rfcomm_add_listener(bdaddr_t *ba)
1970 {
1971         struct sockaddr_l2 addr;
1972         struct socket *sock;
1973         struct sock *sk;
1974         struct rfcomm_session *s;
1975         int    err = 0;
1976
1977         /* Create socket */
1978         err = rfcomm_l2sock_create(&sock);
1979         if (err < 0) {
1980                 BT_ERR("Create socket failed %d", err);
1981                 return err;
1982         }
1983
1984         /* Bind socket */
1985         bacpy(&addr.l2_bdaddr, ba);
1986         addr.l2_family = AF_BLUETOOTH;
1987         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
1988         addr.l2_cid    = 0;
1989         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1990         if (err < 0) {
1991                 BT_ERR("Bind failed %d", err);
1992                 goto failed;
1993         }
1994
1995         /* Set L2CAP options */
1996         sk = sock->sk;
1997         lock_sock(sk);
1998         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
1999         release_sock(sk);
2000
2001         /* Start listening on the socket */
2002         err = kernel_listen(sock, 10);
2003         if (err) {
2004                 BT_ERR("Listen failed %d", err);
2005                 goto failed;
2006         }
2007
2008         /* Add listening session */
2009         s = rfcomm_session_add(sock, BT_LISTEN);
2010         if (!s)
2011                 goto failed;
2012
2013         rfcomm_session_hold(s);
2014         return 0;
2015 failed:
2016         sock_release(sock);
2017         return err;
2018 }
2019
2020 static void rfcomm_kill_listener(void)
2021 {
2022         struct rfcomm_session *s;
2023         struct list_head *p, *n;
2024
2025         BT_DBG("");
2026
2027         list_for_each_safe(p, n, &session_list) {
2028                 s = list_entry(p, struct rfcomm_session, list);
2029                 rfcomm_session_del(s);
2030         }
2031 }
2032
2033 static int rfcomm_run(void *unused)
2034 {
2035         BT_DBG("");
2036
2037         set_user_nice(current, -10);
2038
2039         rfcomm_add_listener(BDADDR_ANY);
2040
2041         while (!kthread_should_stop()) {
2042                 set_current_state(TASK_INTERRUPTIBLE);
2043                 if (!test_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event)) {
2044                         /* No pending events. Let's sleep.
2045                          * Incoming connections and data will wake us up. */
2046                         schedule();
2047                 }
2048                 set_current_state(TASK_RUNNING);
2049
2050                 /* Process stuff */
2051                 clear_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
2052                 rfcomm_process_sessions();
2053         }
2054
2055         rfcomm_kill_listener();
2056
2057         return 0;
2058 }
2059
2060 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2061 {
2062         struct rfcomm_session *s;
2063         struct rfcomm_dlc *d;
2064         struct list_head *p, *n;
2065
2066         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2067
2068         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2069         if (!s)
2070                 return;
2071
2072         rfcomm_session_hold(s);
2073
2074         list_for_each_safe(p, n, &s->dlcs) {
2075                 d = list_entry(p, struct rfcomm_dlc, list);
2076
2077                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2078                         rfcomm_dlc_clear_timer(d);
2079                         if (status || encrypt == 0x00) {
2080                                 __rfcomm_dlc_close(d, ECONNREFUSED);
2081                                 continue;
2082                         }
2083                 }
2084
2085                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2086                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2087                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2088                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2089                                 continue;
2090                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2091                                 __rfcomm_dlc_close(d, ECONNREFUSED);
2092                                 continue;
2093                         }
2094                 }
2095
2096                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2097                         continue;
2098
2099                 if (!status && hci_conn_check_secure(conn, d->sec_level))
2100                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2101                 else
2102                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2103         }
2104
2105         rfcomm_session_put(s);
2106
2107         rfcomm_schedule();
2108 }
2109
2110 static struct hci_cb rfcomm_cb = {
2111         .name           = "RFCOMM",
2112         .security_cfm   = rfcomm_security_cfm
2113 };
2114
2115 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2116 {
2117         struct rfcomm_session *s;
2118         struct list_head *pp, *p;
2119
2120         rfcomm_lock();
2121
2122         list_for_each(p, &session_list) {
2123                 s = list_entry(p, struct rfcomm_session, list);
2124                 list_for_each(pp, &s->dlcs) {
2125                         struct sock *sk = s->sock->sk;
2126                         struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
2127
2128                         seq_printf(f, "%s %s %ld %d %d %d %d\n",
2129                                                 batostr(&bt_sk(sk)->src),
2130                                                 batostr(&bt_sk(sk)->dst),
2131                                                 d->state, d->dlci, d->mtu,
2132                                                 d->rx_credits, d->tx_credits);
2133                 }
2134         }
2135
2136         rfcomm_unlock();
2137
2138         return 0;
2139 }
2140
2141 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2142 {
2143         return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2144 }
2145
2146 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2147         .open           = rfcomm_dlc_debugfs_open,
2148         .read           = seq_read,
2149         .llseek         = seq_lseek,
2150         .release        = single_release,
2151 };
2152
2153 static struct dentry *rfcomm_dlc_debugfs;
2154
2155 /* ---- Initialization ---- */
2156 static int __init rfcomm_init(void)
2157 {
2158         int err;
2159
2160         hci_register_cb(&rfcomm_cb);
2161
2162         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2163         if (IS_ERR(rfcomm_thread)) {
2164                 err = PTR_ERR(rfcomm_thread);
2165                 goto unregister;
2166         }
2167
2168         if (bt_debugfs) {
2169                 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2170                                 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2171                 if (!rfcomm_dlc_debugfs)
2172                         BT_ERR("Failed to create RFCOMM debug file");
2173         }
2174
2175         err = rfcomm_init_ttys();
2176         if (err < 0)
2177                 goto stop;
2178
2179         err = rfcomm_init_sockets();
2180         if (err < 0)
2181                 goto cleanup;
2182
2183         BT_INFO("RFCOMM ver %s", VERSION);
2184
2185         return 0;
2186
2187 cleanup:
2188         rfcomm_cleanup_ttys();
2189
2190 stop:
2191         kthread_stop(rfcomm_thread);
2192
2193 unregister:
2194         hci_unregister_cb(&rfcomm_cb);
2195
2196         return err;
2197 }
2198
2199 static void __exit rfcomm_exit(void)
2200 {
2201         debugfs_remove(rfcomm_dlc_debugfs);
2202
2203         hci_unregister_cb(&rfcomm_cb);
2204
2205         kthread_stop(rfcomm_thread);
2206
2207         rfcomm_cleanup_ttys();
2208
2209         rfcomm_cleanup_sockets();
2210 }
2211
2212 module_init(rfcomm_init);
2213 module_exit(rfcomm_exit);
2214
2215 module_param(disable_cfc, bool, 0644);
2216 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2217
2218 module_param(channel_mtu, int, 0644);
2219 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2220
2221 module_param(l2cap_mtu, uint, 0644);
2222 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2223
2224 module_param(l2cap_ertm, bool, 0644);
2225 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2226
2227 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2228 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2229 MODULE_VERSION(VERSION);
2230 MODULE_LICENSE("GPL");
2231 MODULE_ALIAS("bt-proto-3");