net/bluetooth/rfcomm/core.c

   1 /*
   2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
   4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License version 2 as
   8    published by the Free Software Foundation;
   9
  10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  18
  19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  21    SOFTWARE IS DISCLAIMED.
  22 */
  23
  24 /*
  25  * Bluetooth RFCOMM core.
  26  */
  27
  28 #include <linux/module.h>
  29 #include <linux/errno.h>
  30 #include <linux/kernel.h>
  31 #include <linux/sched.h>
  32 #include <linux/signal.h>
  33 #include <linux/init.h>
  34 #include <linux/wait.h>
  35 #include <linux/device.h>
  36 #include <linux/debugfs.h>
  37 #include <linux/seq_file.h>
  38 #include <linux/net.h>
  39 #include <linux/mutex.h>
  40 #include <linux/kthread.h>
  41 #include <linux/slab.h>
  42
  43 #include <net/sock.h>
  44 #include <linux/uaccess.h>
  45 #include <asm/unaligned.h>
  46
  47 #include <net/bluetooth/bluetooth.h>
  48 #include <net/bluetooth/hci_core.h>
  49 #include <net/bluetooth/l2cap.h>
  50 #include <net/bluetooth/rfcomm.h>
  51
  52 #define VERSION "1.11"
  53
  54 static int disable_cfc;
  55 static int l2cap_ertm;
  56 static int channel_mtu = -1;
  57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
  58
  59 static struct task_struct *rfcomm_thread;
  60
  61 static DEFINE_MUTEX(rfcomm_mutex);
  62 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
  63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
  64
  65
  66 static LIST_HEAD(session_list);
  67
  68 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
  69 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
  70 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
  71 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
  72 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
  73 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
  74 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
  75 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
  76 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
  77 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
  78
  79 static void rfcomm_process_connect(struct rfcomm_session *s);
  80
  81 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
  82                                                         bdaddr_t *dst,
  83                                                         u8 sec_level,
  84                                                         int *err);
  85 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
  86 static void rfcomm_session_del(struct rfcomm_session *s);
  87
  88 /* ---- RFCOMM frame parsing macros ---- */
  89 #define __get_dlci(b)     ((b & 0xfc) >> 2)
  90 #define __get_channel(b)  ((b & 0xf8) >> 3)
  91 #define __get_dir(b)      ((b & 0x04) >> 2)
  92 #define __get_type(b)     ((b & 0xef))
  93
  94 #define __test_ea(b)      ((b & 0x01))
  95 #define __test_cr(b)      ((b & 0x02))
  96 #define __test_pf(b)      ((b & 0x10))
  97
  98 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
  99 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
 100 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
 101 #define __srv_channel(dlci)    (dlci >> 1)
 102 #define __dir(dlci)            (dlci & 0x01)
 103
 104 #define __len8(len)       (((len) << 1) | 1)
 105 #define __len16(len)      ((len) << 1)
 106
 107 /* MCC macros */
 108 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
 109 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
 110 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
 111
 112 /* RPN macros */
 113 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
 114 #define __get_rpn_data_bits(line) ((line) & 0x3)
 115 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
 116 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
 117
 118 static inline void rfcomm_schedule(void)
 119 {
 120         if (!rfcomm_thread)
 121                 return;
 122         wake_up_process(rfcomm_thread);
 123 }
 124
 125 static inline void rfcomm_session_put(struct rfcomm_session *s)
 126 {
 127         if (atomic_dec_and_test(&s->refcnt))
 128                 rfcomm_session_del(s);
 129 }
 130
 131 /* ---- RFCOMM FCS computation ---- */
 132
 133 /* reversed, 8-bit, poly=0x07 */
 134 static unsigned char rfcomm_crc_table[256] = {
 135         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
 136         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
 137         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
 138         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
 139
 140         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
 141         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
 142         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
 143         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
 144
 145         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
 146         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
 147         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
 148         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
 149
 150         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
 151         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
 152         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
 153         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
 154
 155         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
 156         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
 157         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
 158         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
 159
 160         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
 161         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
 162         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
 163         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
 164
 165         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
 166         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
 167         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
 168         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
 169
 170         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
 171         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
 172         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
 173         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
 174 };
 175
 176 /* CRC on 2 bytes */
 177 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
 178
 179 /* FCS on 2 bytes */
 180 static inline u8 __fcs(u8 *data)
 181 {
 182         return 0xff - __crc(data);
 183 }
 184
 185 /* FCS on 3 bytes */
 186 static inline u8 __fcs2(u8 *data)
 187 {
 188         return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
 189 }
 190
 191 /* Check FCS */
 192 static inline int __check_fcs(u8 *data, int type, u8 fcs)
 193 {
 194         u8 f = __crc(data);
 195
 196         if (type != RFCOMM_UIH)
 197                 f = rfcomm_crc_table[f ^ data[2]];
 198
 199         return rfcomm_crc_table[f ^ fcs] != 0xcf;
 200 }
 201
 202 /* ---- L2CAP callbacks ---- */
 203 static void rfcomm_l2state_change(struct sock *sk)
 204 {
 205         BT_DBG("%p state %d", sk, sk->sk_state);
 206         rfcomm_schedule();
 207 }
 208
 209 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
 210 {
 211         BT_DBG("%p bytes %d", sk, bytes);
 212         rfcomm_schedule();
 213 }
 214
 215 static int rfcomm_l2sock_create(struct socket **sock)
 216 {
 217         int err;
 218
 219         BT_DBG("");
 220
 221         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
 222         if (!err) {
 223                 struct sock *sk = (*sock)->sk;
 224                 sk->sk_data_ready   = rfcomm_l2data_ready;
 225                 sk->sk_state_change = rfcomm_l2state_change;
 226         }
 227         return err;
 228 }
 229
 230 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
 231 {
 232         struct sock *sk = d->session->sock->sk;
 233         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
 234
 235         __u8 auth_type;
 236
 237         switch (d->sec_level) {
 238         case BT_SECURITY_HIGH:
 239                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
 240                 break;
 241         case BT_SECURITY_MEDIUM:
 242                 auth_type = HCI_AT_GENERAL_BONDING;
 243                 break;
 244         default:
 245                 auth_type = HCI_AT_NO_BONDING;
 246                 break;
 247         }
 248
 249         return hci_conn_security(conn->hcon, d->sec_level, auth_type);
 250 }
 251
 252 static void rfcomm_session_timeout(unsigned long arg)
 253 {
 254         struct rfcomm_session *s = (void *) arg;
 255
 256         BT_DBG("session %p state %ld", s, s->state);
 257
 258         set_bit(RFCOMM_TIMED_OUT, &s->flags);
 259         rfcomm_schedule();
 260 }
 261
 262 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
 263 {
 264         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
 265
 266         if (!mod_timer(&s->timer, jiffies + timeout))
 267                 rfcomm_session_hold(s);
 268 }
 269
 270 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
 271 {
 272         BT_DBG("session %p state %ld", s, s->state);
 273
 274         if (timer_pending(&s->timer) && del_timer(&s->timer))
 275                 rfcomm_session_put(s);
 276 }
 277
 278 /* ---- RFCOMM DLCs ---- */
 279 static void rfcomm_dlc_timeout(unsigned long arg)
 280 {
 281         struct rfcomm_dlc *d = (void *) arg;
 282
 283         BT_DBG("dlc %p state %ld", d, d->state);
 284
 285         set_bit(RFCOMM_TIMED_OUT, &d->flags);
 286         rfcomm_dlc_put(d);
 287         rfcomm_schedule();
 288 }
 289
 290 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
 291 {
 292         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
 293
 294         if (!mod_timer(&d->timer, jiffies + timeout))
 295                 rfcomm_dlc_hold(d);
 296 }
 297
 298 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
 299 {
 300         BT_DBG("dlc %p state %ld", d, d->state);
 301
 302         if (timer_pending(&d->timer) && del_timer(&d->timer))
 303                 rfcomm_dlc_put(d);
 304 }
 305
 306 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
 307 {
 308         BT_DBG("%p", d);
 309
 310         d->state      = BT_OPEN;
 311         d->flags      = 0;
 312         d->mscex      = 0;
 313         d->sec_level  = BT_SECURITY_LOW;
 314         d->mtu        = RFCOMM_DEFAULT_MTU;
 315         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
 316
 317         d->cfc        = RFCOMM_CFC_DISABLED;
 318         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
 319 }
 320
 321 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
 322 {
 323         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
 324
 325         if (!d)
 326                 return NULL;
 327
 328         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
 329
 330         skb_queue_head_init(&d->tx_queue);
 331         spin_lock_init(&d->lock);
 332         atomic_set(&d->refcnt, 1);
 333
 334         rfcomm_dlc_clear_state(d);
 335
 336         BT_DBG("%p", d);
 337
 338         return d;
 339 }
 340
 341 void rfcomm_dlc_free(struct rfcomm_dlc *d)
 342 {
 343         BT_DBG("%p", d);
 344
 345         skb_queue_purge(&d->tx_queue);
 346         kfree(d);
 347 }
 348
 349 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
 350 {
 351         BT_DBG("dlc %p session %p", d, s);
 352
 353         rfcomm_session_hold(s);
 354
 355         rfcomm_session_clear_timer(s);
 356         rfcomm_dlc_hold(d);
 357         list_add(&d->list, &s->dlcs);
 358         d->session = s;
 359 }
 360
 361 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
 362 {
 363         struct rfcomm_session *s = d->session;
 364
 365         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
 366
 367         list_del(&d->list);
 368         d->session = NULL;
 369         rfcomm_dlc_put(d);
 370
 371         if (list_empty(&s->dlcs))
 372                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
 373
 374         rfcomm_session_put(s);
 375 }
 376
 377 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
 378 {
 379         struct rfcomm_dlc *d;
 380         struct list_head *p;
 381
 382         list_for_each(p, &s->dlcs) {
 383                 d = list_entry(p, struct rfcomm_dlc, list);
 384                 if (d->dlci == dlci)
 385                         return d;
 386         }
 387         return NULL;
 388 }
 389
 390 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
 391 {
 392         struct rfcomm_session *s;
 393         int err = 0;
 394         u8 dlci;
 395
 396         BT_DBG("dlc %p state %ld %s %s channel %d",
 397                         d, d->state, batostr(src), batostr(dst), channel);
 398
 399         if (channel < 1 || channel > 30)
 400                 return -EINVAL;
 401
 402         if (d->state != BT_OPEN && d->state != BT_CLOSED)
 403                 return 0;
 404
 405         s = rfcomm_session_get(src, dst);
 406         if (!s) {
 407                 s = rfcomm_session_create(src, dst, d->sec_level, &err);
 408                 if (!s)
 409                         return err;
 410         }
 411
 412         dlci = __dlci(!s->initiator, channel);
 413
 414         /* Check if DLCI already exists */
 415         if (rfcomm_dlc_get(s, dlci))
 416                 return -EBUSY;
 417
 418         rfcomm_dlc_clear_state(d);
 419
 420         d->dlci     = dlci;
 421         d->addr     = __addr(s->initiator, dlci);
 422         d->priority = 7;
 423
 424         d->state = BT_CONFIG;
 425         rfcomm_dlc_link(s, d);
 426
 427         d->out = 1;
 428
 429         d->mtu = s->mtu;
 430         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
 431
 432         if (s->state == BT_CONNECTED) {
 433                 if (rfcomm_check_security(d))
 434                         rfcomm_send_pn(s, 1, d);
 435                 else
 436                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
 437         }
 438
 439         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
 440
 441         return 0;
 442 }
 443
 444 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
 445 {
 446         int r;
 447
 448         rfcomm_lock();
 449
 450         r = __rfcomm_dlc_open(d, src, dst, channel);
 451
 452         rfcomm_unlock();
 453         return r;
 454 }
 455
 456 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 457 {
 458         struct rfcomm_session *s = d->session;
 459         if (!s)
 460                 return 0;
 461
 462         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
 463                         d, d->state, d->dlci, err, s);
 464
 465         switch (d->state) {
 466         case BT_CONNECT:
 467         case BT_CONFIG:
 468                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
 469                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
 470                         rfcomm_schedule();
 471                         break;
 472                 }
 473                 /* Fall through */
 474
 475         case BT_CONNECTED:
 476                 d->state = BT_DISCONN;
 477                 if (skb_queue_empty(&d->tx_queue)) {
 478                         rfcomm_send_disc(s, d->dlci);
 479                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
 480                 } else {
 481                         rfcomm_queue_disc(d);
 482                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
 483                 }
 484                 break;
 485
 486         case BT_OPEN:
 487         case BT_CONNECT2:
 488                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
 489                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
 490                         rfcomm_schedule();
 491                         break;
 492                 }
 493                 /* Fall through */
 494
 495         default:
 496                 rfcomm_dlc_clear_timer(d);
 497
 498                 rfcomm_dlc_lock(d);
 499                 d->state = BT_CLOSED;
 500                 d->state_change(d, err);
 501                 rfcomm_dlc_unlock(d);
 502
 503                 skb_queue_purge(&d->tx_queue);
 504                 rfcomm_dlc_unlink(d);
 505         }
 506
 507         return 0;
 508 }
 509
 510 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 511 {
 512         int r;
 513
 514         rfcomm_lock();
 515
 516         r = __rfcomm_dlc_close(d, err);
 517
 518         rfcomm_unlock();
 519         return r;
 520 }
 521
 522 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
 523 {
 524         int len = skb->len;
 525
 526         if (d->state != BT_CONNECTED)
 527                 return -ENOTCONN;
 528
 529         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
 530
 531         if (len > d->mtu)
 532                 return -EINVAL;
 533
 534         rfcomm_make_uih(skb, d->addr);
 535         skb_queue_tail(&d->tx_queue, skb);
 536
 537         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
 538                 rfcomm_schedule();
 539         return len;
 540 }
 541
 542 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
 543 {
 544         BT_DBG("dlc %p state %ld", d, d->state);
 545
 546         if (!d->cfc) {
 547                 d->v24_sig |= RFCOMM_V24_FC;
 548                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
 549         }
 550         rfcomm_schedule();
 551 }
 552
 553 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
 554 {
 555         BT_DBG("dlc %p state %ld", d, d->state);
 556
 557         if (!d->cfc) {
 558                 d->v24_sig &= ~RFCOMM_V24_FC;
 559                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
 560         }
 561         rfcomm_schedule();
 562 }
 563
 564 /*
 565    Set/get modem status functions use _local_ status i.e. what we report
 566    to the other side.
 567    Remote status is provided by dlc->modem_status() callback.
 568  */
 569 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
 570 {
 571         BT_DBG("dlc %p state %ld v24_sig 0x%x",
 572                         d, d->state, v24_sig);
 573
 574         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
 575                 v24_sig |= RFCOMM_V24_FC;
 576         else
 577                 v24_sig &= ~RFCOMM_V24_FC;
 578
 579         d->v24_sig = v24_sig;
 580
 581         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
 582                 rfcomm_schedule();
 583
 584         return 0;
 585 }
 586
 587 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
 588 {
 589         BT_DBG("dlc %p state %ld v24_sig 0x%x",
 590                         d, d->state, d->v24_sig);
 591
 592         *v24_sig = d->v24_sig;
 593         return 0;
 594 }
 595
 596 /* ---- RFCOMM sessions ---- */
 597 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
 598 {
 599         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
 600
 601         if (!s)
 602                 return NULL;
 603
 604         BT_DBG("session %p sock %p", s, sock);
 605
 606         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
 607
 608         INIT_LIST_HEAD(&s->dlcs);
 609         s->state = state;
 610         s->sock  = sock;
 611
 612         s->mtu = RFCOMM_DEFAULT_MTU;
 613         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
 614
 615         /* Do not increment module usage count for listening sessions.
 616          * Otherwise we won't be able to unload the module. */
 617         if (state != BT_LISTEN)
 618                 if (!try_module_get(THIS_MODULE)) {
 619                         kfree(s);
 620                         return NULL;
 621                 }
 622
 623         list_add(&s->list, &session_list);
 624
 625         return s;
 626 }
 627
 628 static void rfcomm_session_del(struct rfcomm_session *s)
 629 {
 630         int state = s->state;
 631
 632         BT_DBG("session %p state %ld", s, s->state);
 633
 634         list_del(&s->list);
 635
 636         if (state == BT_CONNECTED)
 637                 rfcomm_send_disc(s, 0);
 638
 639         rfcomm_session_clear_timer(s);
 640         sock_release(s->sock);
 641         kfree(s);
 642
 643         if (state != BT_LISTEN)
 644                 module_put(THIS_MODULE);
 645 }
 646
 647 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
 648 {
 649         struct rfcomm_session *s;
 650         struct list_head *p, *n;
 651         struct bt_sock *sk;
 652         list_for_each_safe(p, n, &session_list) {
 653                 s = list_entry(p, struct rfcomm_session, list);
 654                 sk = bt_sk(s->sock->sk);
 655
 656                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
 657                                 !bacmp(&sk->dst, dst))
 658                         return s;
 659         }
 660         return NULL;
 661 }
 662
 663 static void rfcomm_session_close(struct rfcomm_session *s, int err)
 664 {
 665         struct rfcomm_dlc *d;
 666         struct list_head *p, *n;
 667
 668         BT_DBG("session %p state %ld err %d", s, s->state, err);
 669
 670         rfcomm_session_hold(s);
 671
 672         s->state = BT_CLOSED;
 673
 674         /* Close all dlcs */
 675         list_for_each_safe(p, n, &s->dlcs) {
 676                 d = list_entry(p, struct rfcomm_dlc, list);
 677                 d->state = BT_CLOSED;
 678                 __rfcomm_dlc_close(d, err);
 679         }
 680
 681         rfcomm_session_clear_timer(s);
 682         rfcomm_session_put(s);
 683 }
 684
 685 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
 686                                                         bdaddr_t *dst,
 687                                                         u8 sec_level,
 688                                                         int *err)
 689 {
 690         struct rfcomm_session *s = NULL;
 691         struct sockaddr_l2 addr;
 692         struct socket *sock;
 693         struct sock *sk;
 694
 695         BT_DBG("%s %s", batostr(src), batostr(dst));
 696
 697         *err = rfcomm_l2sock_create(&sock);
 698         if (*err < 0)
 699                 return NULL;
 700
 701         bacpy(&addr.l2_bdaddr, src);
 702         addr.l2_family = AF_BLUETOOTH;
 703         addr.l2_psm    = 0;
 704         addr.l2_cid    = 0;
 705         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
 706         if (*err < 0)
 707                 goto failed;
 708
 709         /* Set L2CAP options */
 710         sk = sock->sk;
 711         lock_sock(sk);
 712         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
 713         l2cap_pi(sk)->chan->sec_level = sec_level;
 714         if (l2cap_ertm)
 715                 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
 716         release_sock(sk);
 717
 718         s = rfcomm_session_add(sock, BT_BOUND);
 719         if (!s) {
 720                 *err = -ENOMEM;
 721                 goto failed;
 722         }
 723
 724         s->initiator = 1;
 725
 726         bacpy(&addr.l2_bdaddr, dst);
 727         addr.l2_family = AF_BLUETOOTH;
 728         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
 729         addr.l2_cid    = 0;
 730         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
 731         if (*err == 0 || *err == -EINPROGRESS)
 732                 return s;
 733
 734         rfcomm_session_del(s);
 735         return NULL;
 736
 737 failed:
 738         sock_release(sock);
 739         return NULL;
 740 }
 741
 742 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
 743 {
 744         struct sock *sk = s->sock->sk;
 745         if (src)
 746                 bacpy(src, &bt_sk(sk)->src);
 747         if (dst)
 748                 bacpy(dst, &bt_sk(sk)->dst);
 749 }
 750
 751 /* ---- RFCOMM frame sending ---- */
 752 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
 753 {
 754         struct socket *sock = s->sock;
 755         struct kvec iv = { data, len };
 756         struct msghdr msg;
 757
 758         BT_DBG("session %p len %d", s, len);
 759
 760         memset(&msg, 0, sizeof(msg));
 761
 762         return kernel_sendmsg(sock, &msg, &iv, 1, len);
 763 }
 764
 765 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
 766 {
 767         struct rfcomm_cmd cmd;
 768
 769         BT_DBG("%p dlci %d", s, dlci);
 770
 771         cmd.addr = __addr(s->initiator, dlci);
 772         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
 773         cmd.len  = __len8(0);
 774         cmd.fcs  = __fcs2((u8 *) &cmd);
 775
 776         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
 777 }
 778
 779 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
 780 {
 781         struct rfcomm_cmd cmd;
 782
 783         BT_DBG("%p dlci %d", s, dlci);
 784
 785         cmd.addr = __addr(!s->initiator, dlci);
 786         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
 787         cmd.len  = __len8(0);
 788         cmd.fcs  = __fcs2((u8 *) &cmd);
 789
 790         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
 791 }
 792
 793 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
 794 {
 795         struct rfcomm_cmd cmd;
 796
 797         BT_DBG("%p dlci %d", s, dlci);
 798
 799         cmd.addr = __addr(s->initiator, dlci);
 800         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
 801         cmd.len  = __len8(0);
 802         cmd.fcs  = __fcs2((u8 *) &cmd);
 803
 804         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
 805 }
 806
 807 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
 808 {
 809         struct rfcomm_cmd *cmd;
 810         struct sk_buff *skb;
 811
 812         BT_DBG("dlc %p dlci %d", d, d->dlci);
 813
 814         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
 815         if (!skb)
 816                 return -ENOMEM;
 817
 818         cmd = (void *) __skb_put(skb, sizeof(*cmd));
 819         cmd->addr = d->addr;
 820         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
 821         cmd->len  = __len8(0);
 822         cmd->fcs  = __fcs2((u8 *) cmd);
 823
 824         skb_queue_tail(&d->tx_queue, skb);
 825         rfcomm_schedule();
 826         return 0;
 827 }
 828
 829 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
 830 {
 831         struct rfcomm_cmd cmd;
 832
 833         BT_DBG("%p dlci %d", s, dlci);
 834
 835         cmd.addr = __addr(!s->initiator, dlci);
 836         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
 837         cmd.len  = __len8(0);
 838         cmd.fcs  = __fcs2((u8 *) &cmd);
 839
 840         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
 841 }
 842
 843 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
 844 {
 845         struct rfcomm_hdr *hdr;
 846         struct rfcomm_mcc *mcc;
 847         u8 buf[16], *ptr = buf;
 848
 849         BT_DBG("%p cr %d type %d", s, cr, type);
 850
 851         hdr = (void *) ptr; ptr += sizeof(*hdr);
 852         hdr->addr = __addr(s->initiator, 0);
 853         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 854         hdr->len  = __len8(sizeof(*mcc) + 1);
 855
 856         mcc = (void *) ptr; ptr += sizeof(*mcc);
 857         mcc->type = __mcc_type(cr, RFCOMM_NSC);
 858         mcc->len  = __len8(1);
 859
 860         /* Type that we didn't like */
 861         *ptr = __mcc_type(cr, type); ptr++;
 862
 863         *ptr = __fcs(buf); ptr++;
 864
 865         return rfcomm_send_frame(s, buf, ptr - buf);
 866 }
 867
 868 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
 869 {
 870         struct rfcomm_hdr *hdr;
 871         struct rfcomm_mcc *mcc;
 872         struct rfcomm_pn  *pn;
 873         u8 buf[16], *ptr = buf;
 874
 875         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
 876
 877         hdr = (void *) ptr; ptr += sizeof(*hdr);
 878         hdr->addr = __addr(s->initiator, 0);
 879         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 880         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
 881
 882         mcc = (void *) ptr; ptr += sizeof(*mcc);
 883         mcc->type = __mcc_type(cr, RFCOMM_PN);
 884         mcc->len  = __len8(sizeof(*pn));
 885
 886         pn = (void *) ptr; ptr += sizeof(*pn);
 887         pn->dlci        = d->dlci;
 888         pn->priority    = d->priority;
 889         pn->ack_timer   = 0;
 890         pn->max_retrans = 0;
 891
 892         if (s->cfc) {
 893                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
 894                 pn->credits = RFCOMM_DEFAULT_CREDITS;
 895         } else {
 896                 pn->flow_ctrl = 0;
 897                 pn->credits   = 0;
 898         }
 899
 900         if (cr && channel_mtu >= 0)
 901                 pn->mtu = cpu_to_le16(channel_mtu);
 902         else
 903                 pn->mtu = cpu_to_le16(d->mtu);
 904
 905         *ptr = __fcs(buf); ptr++;
 906
 907         return rfcomm_send_frame(s, buf, ptr - buf);
 908 }
 909
 910 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
 911                         u8 bit_rate, u8 data_bits, u8 stop_bits,
 912                         u8 parity, u8 flow_ctrl_settings,
 913                         u8 xon_char, u8 xoff_char, u16 param_mask)
 914 {
 915         struct rfcomm_hdr *hdr;
 916         struct rfcomm_mcc *mcc;
 917         struct rfcomm_rpn *rpn;
 918         u8 buf[16], *ptr = buf;
 919
 920         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
 921                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
 922                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
 923                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
 924
 925         hdr = (void *) ptr; ptr += sizeof(*hdr);
 926         hdr->addr = __addr(s->initiator, 0);
 927         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 928         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
 929
 930         mcc = (void *) ptr; ptr += sizeof(*mcc);
 931         mcc->type = __mcc_type(cr, RFCOMM_RPN);
 932         mcc->len  = __len8(sizeof(*rpn));
 933
 934         rpn = (void *) ptr; ptr += sizeof(*rpn);
 935         rpn->dlci          = __addr(1, dlci);
 936         rpn->bit_rate      = bit_rate;
 937         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
 938         rpn->flow_ctrl     = flow_ctrl_settings;
 939         rpn->xon_char      = xon_char;
 940         rpn->xoff_char     = xoff_char;
 941         rpn->param_mask    = cpu_to_le16(param_mask);
 942
 943         *ptr = __fcs(buf); ptr++;
 944
 945         return rfcomm_send_frame(s, buf, ptr - buf);
 946 }
 947
 948 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
 949 {
 950         struct rfcomm_hdr *hdr;
 951         struct rfcomm_mcc *mcc;
 952         struct rfcomm_rls *rls;
 953         u8 buf[16], *ptr = buf;
 954
 955         BT_DBG("%p cr %d status 0x%x", s, cr, status);
 956
 957         hdr = (void *) ptr; ptr += sizeof(*hdr);
 958         hdr->addr = __addr(s->initiator, 0);
 959         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 960         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
 961
 962         mcc = (void *) ptr; ptr += sizeof(*mcc);
 963         mcc->type = __mcc_type(cr, RFCOMM_RLS);
 964         mcc->len  = __len8(sizeof(*rls));
 965
 966         rls = (void *) ptr; ptr += sizeof(*rls);
 967         rls->dlci   = __addr(1, dlci);
 968         rls->status = status;
 969
 970         *ptr = __fcs(buf); ptr++;
 971
 972         return rfcomm_send_frame(s, buf, ptr - buf);
 973 }
 974
 975 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
 976 {
 977         struct rfcomm_hdr *hdr;
 978         struct rfcomm_mcc *mcc;
 979         struct rfcomm_msc *msc;
 980         u8 buf[16], *ptr = buf;
 981
 982         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
 983
 984         hdr = (void *) ptr; ptr += sizeof(*hdr);
 985         hdr->addr = __addr(s->initiator, 0);
 986         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 987         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
 988
 989         mcc = (void *) ptr; ptr += sizeof(*mcc);
 990         mcc->type = __mcc_type(cr, RFCOMM_MSC);
 991         mcc->len  = __len8(sizeof(*msc));
 992
 993         msc = (void *) ptr; ptr += sizeof(*msc);
 994         msc->dlci    = __addr(1, dlci);
 995         msc->v24_sig = v24_sig | 0x01;
 996
 997         *ptr = __fcs(buf); ptr++;
 998
 999         return rfcomm_send_frame(s, buf, ptr - buf);
1000 }
1001
1002 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1003 {
1004         struct rfcomm_hdr *hdr;
1005         struct rfcomm_mcc *mcc;
1006         u8 buf[16], *ptr = buf;
1007
1008         BT_DBG("%p cr %d", s, cr);
1009
1010         hdr = (void *) ptr; ptr += sizeof(*hdr);
1011         hdr->addr = __addr(s->initiator, 0);
1012         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1013         hdr->len  = __len8(sizeof(*mcc));
1014
1015         mcc = (void *) ptr; ptr += sizeof(*mcc);
1016         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1017         mcc->len  = __len8(0);
1018
1019         *ptr = __fcs(buf); ptr++;
1020
1021         return rfcomm_send_frame(s, buf, ptr - buf);
1022 }
1023
1024 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1025 {
1026         struct rfcomm_hdr *hdr;
1027         struct rfcomm_mcc *mcc;
1028         u8 buf[16], *ptr = buf;
1029
1030         BT_DBG("%p cr %d", s, cr);
1031
1032         hdr = (void *) ptr; ptr += sizeof(*hdr);
1033         hdr->addr = __addr(s->initiator, 0);
1034         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1035         hdr->len  = __len8(sizeof(*mcc));
1036
1037         mcc = (void *) ptr; ptr += sizeof(*mcc);
1038         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1039         mcc->len  = __len8(0);
1040
1041         *ptr = __fcs(buf); ptr++;
1042
1043         return rfcomm_send_frame(s, buf, ptr - buf);
1044 }
1045
1046 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1047 {
1048         struct socket *sock = s->sock;
1049         struct kvec iv[3];
1050         struct msghdr msg;
1051         unsigned char hdr[5], crc[1];
1052
1053         if (len > 125)
1054                 return -EINVAL;
1055
1056         BT_DBG("%p cr %d", s, cr);
1057
1058         hdr[0] = __addr(s->initiator, 0);
1059         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1060         hdr[2] = 0x01 | ((len + 2) << 1);
1061         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1062         hdr[4] = 0x01 | (len << 1);
1063
1064         crc[0] = __fcs(hdr);
1065
1066         iv[0].iov_base = hdr;
1067         iv[0].iov_len  = 5;
1068         iv[1].iov_base = pattern;
1069         iv[1].iov_len  = len;
1070         iv[2].iov_base = crc;
1071         iv[2].iov_len  = 1;
1072
1073         memset(&msg, 0, sizeof(msg));
1074
1075         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1076 }
1077
1078 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1079 {
1080         struct rfcomm_hdr *hdr;
1081         u8 buf[16], *ptr = buf;
1082
1083         BT_DBG("%p addr %d credits %d", s, addr, credits);
1084
1085         hdr = (void *) ptr; ptr += sizeof(*hdr);
1086         hdr->addr = addr;
1087         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1088         hdr->len  = __len8(0);
1089
1090         *ptr = credits; ptr++;
1091
1092         *ptr = __fcs(buf); ptr++;
1093
1094         return rfcomm_send_frame(s, buf, ptr - buf);
1095 }
1096
1097 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1098 {
1099         struct rfcomm_hdr *hdr;
1100         int len = skb->len;
1101         u8 *crc;
1102
1103         if (len > 127) {
1104                 hdr = (void *) skb_push(skb, 4);
1105                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1106         } else {
1107                 hdr = (void *) skb_push(skb, 3);
1108                 hdr->len = __len8(len);
1109         }
1110         hdr->addr = addr;
1111         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1112
1113         crc = skb_put(skb, 1);
1114         *crc = __fcs((void *) hdr);
1115 }
1116
1117 /* ---- RFCOMM frame reception ---- */
1118 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1119 {
1120         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1121
1122         if (dlci) {
1123                 /* Data channel */
1124                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1125                 if (!d) {
1126                         rfcomm_send_dm(s, dlci);
1127                         return 0;
1128                 }
1129
1130                 switch (d->state) {
1131                 case BT_CONNECT:
1132                         rfcomm_dlc_clear_timer(d);
1133
1134                         rfcomm_dlc_lock(d);
1135                         d->state = BT_CONNECTED;
1136                         d->state_change(d, 0);
1137                         rfcomm_dlc_unlock(d);
1138
1139                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1140                         break;
1141
1142                 case BT_DISCONN:
1143                         d->state = BT_CLOSED;
1144                         __rfcomm_dlc_close(d, 0);
1145
1146                         if (list_empty(&s->dlcs)) {
1147                                 s->state = BT_DISCONN;
1148                                 rfcomm_send_disc(s, 0);
1149                                 rfcomm_session_clear_timer(s);
1150                         }
1151
1152                         break;
1153                 }
1154         } else {
1155                 /* Control channel */
1156                 switch (s->state) {
1157                 case BT_CONNECT:
1158                         s->state = BT_CONNECTED;
1159                         rfcomm_process_connect(s);
1160                         break;
1161
1162                 case BT_DISCONN:
1163                         /* When socket is closed and we are not RFCOMM
1164                          * initiator rfcomm_process_rx already calls
1165                          * rfcomm_session_put() */
1166                         if (s->sock->sk->sk_state != BT_CLOSED)
1167                                 if (list_empty(&s->dlcs))
1168                                         rfcomm_session_put(s);
1169                         break;
1170                 }
1171         }
1172         return 0;
1173 }
1174
1175 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1176 {
1177         int err = 0;
1178
1179         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1180
1181         if (dlci) {
1182                 /* Data DLC */
1183                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1184                 if (d) {
1185                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1186                                 err = ECONNREFUSED;
1187                         else
1188                                 err = ECONNRESET;
1189
1190                         d->state = BT_CLOSED;
1191                         __rfcomm_dlc_close(d, err);
1192                 }
1193         } else {
1194                 if (s->state == BT_CONNECT)
1195                         err = ECONNREFUSED;
1196                 else
1197                         err = ECONNRESET;
1198
1199                 s->state = BT_CLOSED;
1200                 rfcomm_session_close(s, err);
1201         }
1202         return 0;
1203 }
1204
1205 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1206 {
1207         int err = 0;
1208
1209         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1210
1211         if (dlci) {
1212                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1213                 if (d) {
1214                         rfcomm_send_ua(s, dlci);
1215
1216                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1217                                 err = ECONNREFUSED;
1218                         else
1219                                 err = ECONNRESET;
1220
1221                         d->state = BT_CLOSED;
1222                         __rfcomm_dlc_close(d, err);
1223                 } else
1224                         rfcomm_send_dm(s, dlci);
1225
1226         } else {
1227                 rfcomm_send_ua(s, 0);
1228
1229                 if (s->state == BT_CONNECT)
1230                         err = ECONNREFUSED;
1231                 else
1232                         err = ECONNRESET;
1233
1234                 s->state = BT_CLOSED;
1235                 rfcomm_session_close(s, err);
1236         }
1237
1238         return 0;
1239 }
1240
1241 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1242 {
1243         struct sock *sk = d->session->sock->sk;
1244         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1245
1246         BT_DBG("dlc %p", d);
1247
1248         rfcomm_send_ua(d->session, d->dlci);
1249
1250         rfcomm_dlc_clear_timer(d);
1251
1252         rfcomm_dlc_lock(d);
1253         d->state = BT_CONNECTED;
1254         d->state_change(d, 0);
1255         rfcomm_dlc_unlock(d);
1256
1257         if (d->role_switch)
1258                 hci_conn_switch_role(conn->hcon, 0x00);
1259
1260         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1261 }
1262
1263 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1264 {
1265         if (rfcomm_check_security(d)) {
1266                 if (d->defer_setup) {
1267                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1268                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1269
1270                         rfcomm_dlc_lock(d);
1271                         d->state = BT_CONNECT2;
1272                         d->state_change(d, 0);
1273                         rfcomm_dlc_unlock(d);
1274                 } else
1275                         rfcomm_dlc_accept(d);
1276         } else {
1277                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1278                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1279         }
1280 }
1281
1282 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1283 {
1284         struct rfcomm_dlc *d;
1285         u8 channel;
1286
1287         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1288
1289         if (!dlci) {
1290                 rfcomm_send_ua(s, 0);
1291
1292                 if (s->state == BT_OPEN) {
1293                         s->state = BT_CONNECTED;
1294                         rfcomm_process_connect(s);
1295                 }
1296                 return 0;
1297         }
1298
1299         /* Check if DLC exists */
1300         d = rfcomm_dlc_get(s, dlci);
1301         if (d) {
1302                 if (d->state == BT_OPEN) {
1303                         /* DLC was previously opened by PN request */
1304                         rfcomm_check_accept(d);
1305                 }
1306                 return 0;
1307         }
1308
1309         /* Notify socket layer about incoming connection */
1310         channel = __srv_channel(dlci);
1311         if (rfcomm_connect_ind(s, channel, &d)) {
1312                 d->dlci = dlci;
1313                 d->addr = __addr(s->initiator, dlci);
1314                 rfcomm_dlc_link(s, d);
1315
1316                 rfcomm_check_accept(d);
1317         } else {
1318                 rfcomm_send_dm(s, dlci);
1319         }
1320
1321         return 0;
1322 }
1323
1324 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1325 {
1326         struct rfcomm_session *s = d->session;
1327
1328         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1329                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1330
1331         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1332                                                 pn->flow_ctrl == 0xe0) {
1333                 d->cfc = RFCOMM_CFC_ENABLED;
1334                 d->tx_credits = pn->credits;
1335         } else {
1336                 d->cfc = RFCOMM_CFC_DISABLED;
1337                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1338         }
1339
1340         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1341                 s->cfc = d->cfc;
1342
1343         d->priority = pn->priority;
1344
1345         d->mtu = __le16_to_cpu(pn->mtu);
1346
1347         if (cr && d->mtu > s->mtu)
1348                 d->mtu = s->mtu;
1349
1350         return 0;
1351 }
1352
1353 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1354 {
1355         struct rfcomm_pn *pn = (void *) skb->data;
1356         struct rfcomm_dlc *d;
1357         u8 dlci = pn->dlci;
1358
1359         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1360
1361         if (!dlci)
1362                 return 0;
1363
1364         d = rfcomm_dlc_get(s, dlci);
1365         if (d) {
1366                 if (cr) {
1367                         /* PN request */
1368                         rfcomm_apply_pn(d, cr, pn);
1369                         rfcomm_send_pn(s, 0, d);
1370                 } else {
1371                         /* PN response */
1372                         switch (d->state) {
1373                         case BT_CONFIG:
1374                                 rfcomm_apply_pn(d, cr, pn);
1375
1376                                 d->state = BT_CONNECT;
1377                                 rfcomm_send_sabm(s, d->dlci);
1378                                 break;
1379                         }
1380                 }
1381         } else {
1382                 u8 channel = __srv_channel(dlci);
1383
1384                 if (!cr)
1385                         return 0;
1386
1387                 /* PN request for non existing DLC.
1388                  * Assume incoming connection. */
1389                 if (rfcomm_connect_ind(s, channel, &d)) {
1390                         d->dlci = dlci;
1391                         d->addr = __addr(s->initiator, dlci);
1392                         rfcomm_dlc_link(s, d);
1393
1394                         rfcomm_apply_pn(d, cr, pn);
1395
1396                         d->state = BT_OPEN;
1397                         rfcomm_send_pn(s, 0, d);
1398                 } else {
1399                         rfcomm_send_dm(s, dlci);
1400                 }
1401         }
1402         return 0;
1403 }
1404
1405 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1406 {
1407         struct rfcomm_rpn *rpn = (void *) skb->data;
1408         u8 dlci = __get_dlci(rpn->dlci);
1409
1410         u8 bit_rate  = 0;
1411         u8 data_bits = 0;
1412         u8 stop_bits = 0;
1413         u8 parity    = 0;
1414         u8 flow_ctrl = 0;
1415         u8 xon_char  = 0;
1416         u8 xoff_char = 0;
1417         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1418
1419         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1420                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1421                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1422
1423         if (!cr)
1424                 return 0;
1425
1426         if (len == 1) {
1427                 /* This is a request, return default (according to ETSI TS 07.10) settings */
1428                 bit_rate  = RFCOMM_RPN_BR_9600;
1429                 data_bits = RFCOMM_RPN_DATA_8;
1430                 stop_bits = RFCOMM_RPN_STOP_1;
1431                 parity    = RFCOMM_RPN_PARITY_NONE;
1432                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1433                 xon_char  = RFCOMM_RPN_XON_CHAR;
1434                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1435                 goto rpn_out;
1436         }
1437
1438         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1439          * no parity, no flow control lines, normal XON/XOFF chars */
1440
1441         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1442                 bit_rate = rpn->bit_rate;
1443                 if (bit_rate > RFCOMM_RPN_BR_230400) {
1444                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1445                         bit_rate = RFCOMM_RPN_BR_9600;
1446                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1447                 }
1448         }
1449
1450         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1451                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1452                 if (data_bits != RFCOMM_RPN_DATA_8) {
1453                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1454                         data_bits = RFCOMM_RPN_DATA_8;
1455                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1456                 }
1457         }
1458
1459         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1460                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1461                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1462                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1463                         stop_bits = RFCOMM_RPN_STOP_1;
1464                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1465                 }
1466         }
1467
1468         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1469                 parity = __get_rpn_parity(rpn->line_settings);
1470                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1471                         BT_DBG("RPN parity mismatch 0x%x", parity);
1472                         parity = RFCOMM_RPN_PARITY_NONE;
1473                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1474                 }
1475         }
1476
1477         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1478                 flow_ctrl = rpn->flow_ctrl;
1479                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1480                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1481                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1482                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1483                 }
1484         }
1485
1486         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1487                 xon_char = rpn->xon_char;
1488                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1489                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1490                         xon_char = RFCOMM_RPN_XON_CHAR;
1491                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1492                 }
1493         }
1494
1495         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1496                 xoff_char = rpn->xoff_char;
1497                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1498                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1499                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1500                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1501                 }
1502         }
1503
1504 rpn_out:
1505         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1506                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1507
1508         return 0;
1509 }
1510
1511 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1512 {
1513         struct rfcomm_rls *rls = (void *) skb->data;
1514         u8 dlci = __get_dlci(rls->dlci);
1515
1516         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1517
1518         if (!cr)
1519                 return 0;
1520
1521         /* We should probably do something with this information here. But
1522          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1523          * mandatory to recognise and respond to RLS */
1524
1525         rfcomm_send_rls(s, 0, dlci, rls->status);
1526
1527         return 0;
1528 }
1529
1530 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1531 {
1532         struct rfcomm_msc *msc = (void *) skb->data;
1533         struct rfcomm_dlc *d;
1534         u8 dlci = __get_dlci(msc->dlci);
1535
1536         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1537
1538         d = rfcomm_dlc_get(s, dlci);
1539         if (!d)
1540                 return 0;
1541
1542         if (cr) {
1543                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1544                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1545                 else
1546                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1547
1548                 rfcomm_dlc_lock(d);
1549
1550                 d->remote_v24_sig = msc->v24_sig;
1551
1552                 if (d->modem_status)
1553                         d->modem_status(d, msc->v24_sig);
1554
1555                 rfcomm_dlc_unlock(d);
1556
1557                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1558
1559                 d->mscex |= RFCOMM_MSCEX_RX;
1560         } else
1561                 d->mscex |= RFCOMM_MSCEX_TX;
1562
1563         return 0;
1564 }
1565
1566 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1567 {
1568         struct rfcomm_mcc *mcc = (void *) skb->data;
1569         u8 type, cr, len;
1570
1571         cr   = __test_cr(mcc->type);
1572         type = __get_mcc_type(mcc->type);
1573         len  = __get_mcc_len(mcc->len);
1574
1575         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1576
1577         skb_pull(skb, 2);
1578
1579         switch (type) {
1580         case RFCOMM_PN:
1581                 rfcomm_recv_pn(s, cr, skb);
1582                 break;
1583
1584         case RFCOMM_RPN:
1585                 rfcomm_recv_rpn(s, cr, len, skb);
1586                 break;
1587
1588         case RFCOMM_RLS:
1589                 rfcomm_recv_rls(s, cr, skb);
1590                 break;
1591
1592         case RFCOMM_MSC:
1593                 rfcomm_recv_msc(s, cr, skb);
1594                 break;
1595
1596         case RFCOMM_FCOFF:
1597                 if (cr) {
1598                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1599                         rfcomm_send_fcoff(s, 0);
1600                 }
1601                 break;
1602
1603         case RFCOMM_FCON:
1604                 if (cr) {
1605                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1606                         rfcomm_send_fcon(s, 0);
1607                 }
1608                 break;
1609
1610         case RFCOMM_TEST:
1611                 if (cr)
1612                         rfcomm_send_test(s, 0, skb->data, skb->len);
1613                 break;
1614
1615         case RFCOMM_NSC:
1616                 break;
1617
1618         default:
1619                 BT_ERR("Unknown control type 0x%02x", type);
1620                 rfcomm_send_nsc(s, cr, type);
1621                 break;
1622         }
1623         return 0;
1624 }
1625
1626 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1627 {
1628         struct rfcomm_dlc *d;
1629
1630         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1631
1632         d = rfcomm_dlc_get(s, dlci);
1633         if (!d) {
1634                 rfcomm_send_dm(s, dlci);
1635                 goto drop;
1636         }
1637
1638         if (pf && d->cfc) {
1639                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1640
1641                 d->tx_credits += credits;
1642                 if (d->tx_credits)
1643                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1644         }
1645
1646         if (skb->len && d->state == BT_CONNECTED) {
1647                 rfcomm_dlc_lock(d);
1648                 d->rx_credits--;
1649                 d->data_ready(d, skb);
1650                 rfcomm_dlc_unlock(d);
1651                 return 0;
1652         }
1653
1654 drop:
1655         kfree_skb(skb);
1656         return 0;
1657 }
1658
1659 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1660 {
1661         struct rfcomm_hdr *hdr = (void *) skb->data;
1662         u8 type, dlci, fcs;
1663
1664         dlci = __get_dlci(hdr->addr);
1665         type = __get_type(hdr->ctrl);
1666
1667         /* Trim FCS */
1668         skb->len--; skb->tail--;
1669         fcs = *(u8 *)skb_tail_pointer(skb);
1670
1671         if (__check_fcs(skb->data, type, fcs)) {
1672                 BT_ERR("bad checksum in packet");
1673                 kfree_skb(skb);
1674                 return -EILSEQ;
1675         }
1676
1677         if (__test_ea(hdr->len))
1678                 skb_pull(skb, 3);
1679         else
1680                 skb_pull(skb, 4);
1681
1682         switch (type) {
1683         case RFCOMM_SABM:
1684                 if (__test_pf(hdr->ctrl))
1685                         rfcomm_recv_sabm(s, dlci);
1686                 break;
1687
1688         case RFCOMM_DISC:
1689                 if (__test_pf(hdr->ctrl))
1690                         rfcomm_recv_disc(s, dlci);
1691                 break;
1692
1693         case RFCOMM_UA:
1694                 if (__test_pf(hdr->ctrl))
1695                         rfcomm_recv_ua(s, dlci);
1696                 break;
1697
1698         case RFCOMM_DM:
1699                 rfcomm_recv_dm(s, dlci);
1700                 break;
1701
1702         case RFCOMM_UIH:
1703                 if (dlci)
1704                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1705
1706                 rfcomm_recv_mcc(s, skb);
1707                 break;
1708
1709         default:
1710                 BT_ERR("Unknown packet type 0x%02x", type);
1711                 break;
1712         }
1713         kfree_skb(skb);
1714         return 0;
1715 }
1716
1717 /* ---- Connection and data processing ---- */
1718
1719 static void rfcomm_process_connect(struct rfcomm_session *s)
1720 {
1721         struct rfcomm_dlc *d;
1722         struct list_head *p, *n;
1723
1724         BT_DBG("session %p state %ld", s, s->state);
1725
1726         list_for_each_safe(p, n, &s->dlcs) {
1727                 d = list_entry(p, struct rfcomm_dlc, list);
1728                 if (d->state == BT_CONFIG) {
1729                         d->mtu = s->mtu;
1730                         if (rfcomm_check_security(d)) {
1731                                 rfcomm_send_pn(s, 1, d);
1732                         } else {
1733                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1734                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1735                         }
1736                 }
1737         }
1738 }
1739
1740 /* Send data queued for the DLC.
1741  * Return number of frames left in the queue.
1742  */
1743 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1744 {
1745         struct sk_buff *skb;
1746         int err;
1747
1748         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1749                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1750
1751         /* Send pending MSC */
1752         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1753                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1754
1755         if (d->cfc) {
1756                 /* CFC enabled.
1757                  * Give them some credits */
1758                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1759                                 d->rx_credits <= (d->cfc >> 2)) {
1760                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1761                         d->rx_credits = d->cfc;
1762                 }
1763         } else {
1764                 /* CFC disabled.
1765                  * Give ourselves some credits */
1766                 d->tx_credits = 5;
1767         }
1768
1769         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1770                 return skb_queue_len(&d->tx_queue);
1771
1772         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1773                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1774                 if (err < 0) {
1775                         skb_queue_head(&d->tx_queue, skb);
1776                         break;
1777                 }
1778                 kfree_skb(skb);
1779                 d->tx_credits--;
1780         }
1781
1782         if (d->cfc && !d->tx_credits) {
1783                 /* We're out of TX credits.
1784                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1785                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1786         }
1787
1788         return skb_queue_len(&d->tx_queue);
1789 }
1790
1791 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1792 {
1793         struct rfcomm_dlc *d;
1794         struct list_head *p, *n;
1795
1796         BT_DBG("session %p state %ld", s, s->state);
1797
1798         list_for_each_safe(p, n, &s->dlcs) {
1799                 d = list_entry(p, struct rfcomm_dlc, list);
1800
1801                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1802                         __rfcomm_dlc_close(d, ETIMEDOUT);
1803                         continue;
1804                 }
1805
1806                 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1807                         __rfcomm_dlc_close(d, ECONNREFUSED);
1808                         continue;
1809                 }
1810
1811                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1812                         rfcomm_dlc_clear_timer(d);
1813                         if (d->out) {
1814                                 rfcomm_send_pn(s, 1, d);
1815                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1816                         } else {
1817                                 if (d->defer_setup) {
1818                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1819                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1820
1821                                         rfcomm_dlc_lock(d);
1822                                         d->state = BT_CONNECT2;
1823                                         d->state_change(d, 0);
1824                                         rfcomm_dlc_unlock(d);
1825                                 } else
1826                                         rfcomm_dlc_accept(d);
1827                         }
1828                         continue;
1829                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1830                         rfcomm_dlc_clear_timer(d);
1831                         if (!d->out)
1832                                 rfcomm_send_dm(s, d->dlci);
1833                         else
1834                                 d->state = BT_CLOSED;
1835                         __rfcomm_dlc_close(d, ECONNREFUSED);
1836                         continue;
1837                 }
1838
1839                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1840                         continue;
1841
1842                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1843                         continue;
1844
1845                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1846                                                 d->mscex == RFCOMM_MSCEX_OK)
1847                         rfcomm_process_tx(d);
1848         }
1849 }
1850
1851 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1852 {
1853         struct socket *sock = s->sock;
1854         struct sock *sk = sock->sk;
1855         struct sk_buff *skb;
1856
1857         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1858
1859         /* Get data directly from socket receive queue without copying it. */
1860         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1861                 skb_orphan(skb);
1862                 if (!skb_linearize(skb))
1863                         rfcomm_recv_frame(s, skb);
1864                 else
1865                         kfree_skb(skb);
1866         }
1867
1868         if (sk->sk_state == BT_CLOSED) {
1869                 if (!s->initiator)
1870                         rfcomm_session_put(s);
1871
1872                 rfcomm_session_close(s, sk->sk_err);
1873         }
1874 }
1875
1876 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1877 {
1878         struct socket *sock = s->sock, *nsock;
1879         int err;
1880
1881         /* Fast check for a new connection.
1882          * Avoids unnesesary socket allocations. */
1883         if (list_empty(&bt_sk(sock->sk)->accept_q))
1884                 return;
1885
1886         BT_DBG("session %p", s);
1887
1888         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1889         if (err < 0)
1890                 return;
1891
1892         /* Set our callbacks */
1893         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1894         nsock->sk->sk_state_change = rfcomm_l2state_change;
1895
1896         s = rfcomm_session_add(nsock, BT_OPEN);
1897         if (s) {
1898                 rfcomm_session_hold(s);
1899
1900                 /* We should adjust MTU on incoming sessions.
1901                  * L2CAP MTU minus UIH header and FCS. */
1902                 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1903                                 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1904
1905                 rfcomm_schedule();
1906         } else
1907                 sock_release(nsock);
1908 }
1909
1910 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1911 {
1912         struct sock *sk = s->sock->sk;
1913
1914         BT_DBG("%p state %ld", s, s->state);
1915
1916         switch (sk->sk_state) {
1917         case BT_CONNECTED:
1918                 s->state = BT_CONNECT;
1919
1920                 /* We can adjust MTU on outgoing sessions.
1921                  * L2CAP MTU minus UIH header and FCS. */
1922                 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1923
1924                 rfcomm_send_sabm(s, 0);
1925                 break;
1926
1927         case BT_CLOSED:
1928                 s->state = BT_CLOSED;
1929                 rfcomm_session_close(s, sk->sk_err);
1930                 break;
1931         }
1932 }
1933
1934 static inline void rfcomm_process_sessions(void)
1935 {
1936         struct list_head *p, *n;
1937
1938         rfcomm_lock();
1939
1940         list_for_each_safe(p, n, &session_list) {
1941                 struct rfcomm_session *s;
1942                 s = list_entry(p, struct rfcomm_session, list);
1943
1944                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1945                         s->state = BT_DISCONN;
1946                         rfcomm_send_disc(s, 0);
1947                         rfcomm_session_put(s);
1948                         continue;
1949                 }
1950
1951                 if (s->state == BT_LISTEN) {
1952                         rfcomm_accept_connection(s);
1953                         continue;
1954                 }
1955
1956                 rfcomm_session_hold(s);
1957
1958                 switch (s->state) {
1959                 case BT_BOUND:
1960                         rfcomm_check_connection(s);
1961                         break;
1962
1963                 default:
1964                         rfcomm_process_rx(s);
1965                         break;
1966                 }
1967
1968                 rfcomm_process_dlcs(s);
1969
1970                 rfcomm_session_put(s);
1971         }
1972
1973         rfcomm_unlock();
1974 }
1975
1976 static int rfcomm_add_listener(bdaddr_t *ba)
1977 {
1978         struct sockaddr_l2 addr;
1979         struct socket *sock;
1980         struct sock *sk;
1981         struct rfcomm_session *s;
1982         int    err = 0;
1983
1984         /* Create socket */
1985         err = rfcomm_l2sock_create(&sock);
1986         if (err < 0) {
1987                 BT_ERR("Create socket failed %d", err);
1988                 return err;
1989         }
1990
1991         /* Bind socket */
1992         bacpy(&addr.l2_bdaddr, ba);
1993         addr.l2_family = AF_BLUETOOTH;
1994         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
1995         addr.l2_cid    = 0;
1996         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1997         if (err < 0) {
1998                 BT_ERR("Bind failed %d", err);
1999                 goto failed;
2000         }
2001
2002         /* Set L2CAP options */
2003         sk = sock->sk;
2004         lock_sock(sk);
2005         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2006         release_sock(sk);
2007
2008         /* Start listening on the socket */
2009         err = kernel_listen(sock, 10);
2010         if (err) {
2011                 BT_ERR("Listen failed %d", err);
2012                 goto failed;
2013         }
2014
2015         /* Add listening session */
2016         s = rfcomm_session_add(sock, BT_LISTEN);
2017         if (!s)
2018                 goto failed;
2019
2020         rfcomm_session_hold(s);
2021         return 0;
2022 failed:
2023         sock_release(sock);
2024         return err;
2025 }
2026
2027 static void rfcomm_kill_listener(void)
2028 {
2029         struct rfcomm_session *s;
2030         struct list_head *p, *n;
2031
2032         BT_DBG("");
2033
2034         list_for_each_safe(p, n, &session_list) {
2035                 s = list_entry(p, struct rfcomm_session, list);
2036                 rfcomm_session_del(s);
2037         }
2038 }
2039
2040 static int rfcomm_run(void *unused)
2041 {
2042         BT_DBG("");
2043
2044         set_user_nice(current, -10);
2045
2046         rfcomm_add_listener(BDADDR_ANY);
2047
2048         while (1) {
2049                 set_current_state(TASK_INTERRUPTIBLE);
2050
2051                 if (kthread_should_stop())
2052                         break;
2053
2054                 /* Process stuff */
2055                 rfcomm_process_sessions();
2056
2057                 schedule();
2058         }
2059         __set_current_state(TASK_RUNNING);
2060
2061         rfcomm_kill_listener();
2062
2063         return 0;
2064 }
2065
2066 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2067 {
2068         struct rfcomm_session *s;
2069         struct rfcomm_dlc *d;
2070         struct list_head *p, *n;
2071
2072         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2073
2074         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2075         if (!s)
2076                 return;
2077
2078         rfcomm_session_hold(s);
2079
2080         list_for_each_safe(p, n, &s->dlcs) {
2081                 d = list_entry(p, struct rfcomm_dlc, list);
2082
2083                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2084                         rfcomm_dlc_clear_timer(d);
2085                         if (status || encrypt == 0x00) {
2086                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2087                                 continue;
2088                         }
2089                 }
2090
2091                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2092                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2093                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2094                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2095                                 continue;
2096                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2097                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2098                                 continue;
2099                         }
2100                 }
2101
2102                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2103                         continue;
2104
2105                 if (!status && hci_conn_check_secure(conn, d->sec_level))
2106                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2107                 else
2108                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2109         }
2110
2111         rfcomm_session_put(s);
2112
2113         rfcomm_schedule();
2114 }
2115
2116 static struct hci_cb rfcomm_cb = {
2117         .name           = "RFCOMM",
2118         .security_cfm   = rfcomm_security_cfm
2119 };
2120
2121 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2122 {
2123         struct rfcomm_session *s;
2124         struct list_head *pp, *p;
2125
2126         rfcomm_lock();
2127
2128         list_for_each(p, &session_list) {
2129                 s = list_entry(p, struct rfcomm_session, list);
2130                 list_for_each(pp, &s->dlcs) {
2131                         struct sock *sk = s->sock->sk;
2132                         struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
2133
2134                         seq_printf(f, "%s %s %ld %d %d %d %d\n",
2135                                                 batostr(&bt_sk(sk)->src),
2136                                                 batostr(&bt_sk(sk)->dst),
2137                                                 d->state, d->dlci, d->mtu,
2138                                                 d->rx_credits, d->tx_credits);
2139                 }
2140         }
2141
2142         rfcomm_unlock();
2143
2144         return 0;
2145 }
2146
2147 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2148 {
2149         return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2150 }
2151
2152 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2153         .open           = rfcomm_dlc_debugfs_open,
2154         .read           = seq_read,
2155         .llseek         = seq_lseek,
2156         .release        = single_release,
2157 };
2158
2159 static struct dentry *rfcomm_dlc_debugfs;
2160
2161 /* ---- Initialization ---- */
2162 static int __init rfcomm_init(void)
2163 {
2164         int err;
2165
2166         hci_register_cb(&rfcomm_cb);
2167
2168         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2169         if (IS_ERR(rfcomm_thread)) {
2170                 err = PTR_ERR(rfcomm_thread);
2171                 goto unregister;
2172         }
2173
2174         if (bt_debugfs) {
2175                 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2176                                 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2177                 if (!rfcomm_dlc_debugfs)
2178                         BT_ERR("Failed to create RFCOMM debug file");
2179         }
2180
2181         err = rfcomm_init_ttys();
2182         if (err < 0)
2183                 goto stop;
2184
2185         err = rfcomm_init_sockets();
2186         if (err < 0)
2187                 goto cleanup;
2188
2189         BT_INFO("RFCOMM ver %s", VERSION);
2190
2191         return 0;
2192
2193 cleanup:
2194         rfcomm_cleanup_ttys();
2195
2196 stop:
2197         kthread_stop(rfcomm_thread);
2198
2199 unregister:
2200         hci_unregister_cb(&rfcomm_cb);
2201
2202         return err;
2203 }
2204
2205 static void __exit rfcomm_exit(void)
2206 {
2207         debugfs_remove(rfcomm_dlc_debugfs);
2208
2209         hci_unregister_cb(&rfcomm_cb);
2210
2211         kthread_stop(rfcomm_thread);
2212
2213         rfcomm_cleanup_ttys();
2214
2215         rfcomm_cleanup_sockets();
2216 }
2217
2218 module_init(rfcomm_init);
2219 module_exit(rfcomm_exit);
2220
2221 module_param(disable_cfc, bool, 0644);
2222 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2223
2224 module_param(channel_mtu, int, 0644);
2225 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2226
2227 module_param(l2cap_mtu, uint, 0644);
2228 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2229
2230 module_param(l2cap_ertm, bool, 0644);
2231 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2232
2233 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2234 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2235 MODULE_VERSION(VERSION);
2236 MODULE_LICENSE("GPL");
2237 MODULE_ALIAS("bt-proto-3");