13f114e8b0f9c1a584f05f47fd336a140a710e31
[linux-2.6.git] / net / bluetooth / rfcomm / core.c
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25  * Bluetooth RFCOMM core.
26  */
27
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/kernel.h>
31 #include <linux/sched.h>
32 #include <linux/signal.h>
33 #include <linux/init.h>
34 #include <linux/wait.h>
35 #include <linux/device.h>
36 #include <linux/debugfs.h>
37 #include <linux/seq_file.h>
38 #include <linux/net.h>
39 #include <linux/mutex.h>
40 #include <linux/kthread.h>
41
42 #include <net/sock.h>
43 #include <asm/uaccess.h>
44 #include <asm/unaligned.h>
45
46 #include <net/bluetooth/bluetooth.h>
47 #include <net/bluetooth/hci_core.h>
48 #include <net/bluetooth/l2cap.h>
49 #include <net/bluetooth/rfcomm.h>
50
51 #define VERSION "1.11"
52
53 static int disable_cfc = 0;
54 static int channel_mtu = -1;
55 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
56 static int l2cap_ertm = 0;
57
58 static struct task_struct *rfcomm_thread;
59
60 static DEFINE_MUTEX(rfcomm_mutex);
61 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
62 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
63
64 static unsigned long rfcomm_event;
65
66 static LIST_HEAD(session_list);
67
68 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
69 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
70 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
71 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
72 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
73 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
74 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
75 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
76 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
77 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
78
79 static void rfcomm_process_connect(struct rfcomm_session *s);
80
81 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err);
82 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
83 static void rfcomm_session_del(struct rfcomm_session *s);
84
85 /* ---- RFCOMM frame parsing macros ---- */
86 #define __get_dlci(b)     ((b & 0xfc) >> 2)
87 #define __get_channel(b)  ((b & 0xf8) >> 3)
88 #define __get_dir(b)      ((b & 0x04) >> 2)
89 #define __get_type(b)     ((b & 0xef))
90
91 #define __test_ea(b)      ((b & 0x01))
92 #define __test_cr(b)      ((b & 0x02))
93 #define __test_pf(b)      ((b & 0x10))
94
95 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
96 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
97 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
98 #define __srv_channel(dlci)    (dlci >> 1)
99 #define __dir(dlci)            (dlci & 0x01)
100
101 #define __len8(len)       (((len) << 1) | 1)
102 #define __len16(len)      ((len) << 1)
103
104 /* MCC macros */
105 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
106 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
107 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
108
109 /* RPN macros */
110 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
111 #define __get_rpn_data_bits(line) ((line) & 0x3)
112 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
113 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
114
115 static inline void rfcomm_schedule(uint event)
116 {
117         if (!rfcomm_thread)
118                 return;
119         //set_bit(event, &rfcomm_event);
120         set_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
121         wake_up_process(rfcomm_thread);
122 }
123
124 static inline void rfcomm_session_put(struct rfcomm_session *s)
125 {
126         if (atomic_dec_and_test(&s->refcnt))
127                 rfcomm_session_del(s);
128 }
129
130 /* ---- RFCOMM FCS computation ---- */
131
132 /* reversed, 8-bit, poly=0x07 */
133 static unsigned char rfcomm_crc_table[256] = {
134         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
135         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
136         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
137         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
138
139         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
140         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
141         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
142         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
143
144         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
145         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
146         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
147         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
148
149         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
150         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
151         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
152         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
153
154         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
155         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
156         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
157         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
158
159         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
160         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
161         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
162         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
163
164         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
165         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
166         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
167         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
168
169         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
170         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
171         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
172         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
173 };
174
175 /* CRC on 2 bytes */
176 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
177
178 /* FCS on 2 bytes */
179 static inline u8 __fcs(u8 *data)
180 {
181         return (0xff - __crc(data));
182 }
183
184 /* FCS on 3 bytes */
185 static inline u8 __fcs2(u8 *data)
186 {
187         return (0xff - rfcomm_crc_table[__crc(data) ^ data[2]]);
188 }
189
190 /* Check FCS */
191 static inline int __check_fcs(u8 *data, int type, u8 fcs)
192 {
193         u8 f = __crc(data);
194
195         if (type != RFCOMM_UIH)
196                 f = rfcomm_crc_table[f ^ data[2]];
197
198         return rfcomm_crc_table[f ^ fcs] != 0xcf;
199 }
200
201 /* ---- L2CAP callbacks ---- */
202 static void rfcomm_l2state_change(struct sock *sk)
203 {
204         BT_DBG("%p state %d", sk, sk->sk_state);
205         rfcomm_schedule(RFCOMM_SCHED_STATE);
206 }
207
208 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
209 {
210         BT_DBG("%p bytes %d", sk, bytes);
211         rfcomm_schedule(RFCOMM_SCHED_RX);
212 }
213
214 static int rfcomm_l2sock_create(struct socket **sock)
215 {
216         int err;
217
218         BT_DBG("");
219
220         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
221         if (!err) {
222                 struct sock *sk = (*sock)->sk;
223                 sk->sk_data_ready   = rfcomm_l2data_ready;
224                 sk->sk_state_change = rfcomm_l2state_change;
225         }
226         return err;
227 }
228
229 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
230 {
231         struct sock *sk = d->session->sock->sk;
232         __u8 auth_type;
233
234         switch (d->sec_level) {
235         case BT_SECURITY_HIGH:
236                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
237                 break;
238         case BT_SECURITY_MEDIUM:
239                 auth_type = HCI_AT_GENERAL_BONDING;
240                 break;
241         default:
242                 auth_type = HCI_AT_NO_BONDING;
243                 break;
244         }
245
246         return hci_conn_security(l2cap_pi(sk)->conn->hcon, d->sec_level,
247                                                                 auth_type);
248 }
249
250 static void rfcomm_session_timeout(unsigned long arg)
251 {
252         struct rfcomm_session *s = (void *) arg;
253
254         BT_DBG("session %p state %ld", s, s->state);
255
256         set_bit(RFCOMM_TIMED_OUT, &s->flags);
257         rfcomm_schedule(RFCOMM_SCHED_TIMEO);
258 }
259
260 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
261 {
262         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
263
264         if (!mod_timer(&s->timer, jiffies + timeout))
265                 rfcomm_session_hold(s);
266 }
267
268 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
269 {
270         BT_DBG("session %p state %ld", s, s->state);
271
272         if (timer_pending(&s->timer) && del_timer(&s->timer))
273                 rfcomm_session_put(s);
274 }
275
276 /* ---- RFCOMM DLCs ---- */
277 static void rfcomm_dlc_timeout(unsigned long arg)
278 {
279         struct rfcomm_dlc *d = (void *) arg;
280
281         BT_DBG("dlc %p state %ld", d, d->state);
282
283         set_bit(RFCOMM_TIMED_OUT, &d->flags);
284         rfcomm_dlc_put(d);
285         rfcomm_schedule(RFCOMM_SCHED_TIMEO);
286 }
287
288 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
289 {
290         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
291
292         if (!mod_timer(&d->timer, jiffies + timeout))
293                 rfcomm_dlc_hold(d);
294 }
295
296 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
297 {
298         BT_DBG("dlc %p state %ld", d, d->state);
299
300         if (timer_pending(&d->timer) && del_timer(&d->timer))
301                 rfcomm_dlc_put(d);
302 }
303
304 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
305 {
306         BT_DBG("%p", d);
307
308         d->state      = BT_OPEN;
309         d->flags      = 0;
310         d->mscex      = 0;
311         d->mtu        = RFCOMM_DEFAULT_MTU;
312         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
313
314         d->cfc        = RFCOMM_CFC_DISABLED;
315         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
316 }
317
318 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
319 {
320         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
321
322         if (!d)
323                 return NULL;
324
325         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
326
327         skb_queue_head_init(&d->tx_queue);
328         spin_lock_init(&d->lock);
329         atomic_set(&d->refcnt, 1);
330
331         rfcomm_dlc_clear_state(d);
332
333         BT_DBG("%p", d);
334
335         return d;
336 }
337
338 void rfcomm_dlc_free(struct rfcomm_dlc *d)
339 {
340         BT_DBG("%p", d);
341
342         skb_queue_purge(&d->tx_queue);
343         kfree(d);
344 }
345
346 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
347 {
348         BT_DBG("dlc %p session %p", d, s);
349
350         rfcomm_session_hold(s);
351
352         rfcomm_session_clear_timer(s);
353         rfcomm_dlc_hold(d);
354         list_add(&d->list, &s->dlcs);
355         d->session = s;
356 }
357
358 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
359 {
360         struct rfcomm_session *s = d->session;
361
362         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
363
364         list_del(&d->list);
365         d->session = NULL;
366         rfcomm_dlc_put(d);
367
368         if (list_empty(&s->dlcs))
369                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
370
371         rfcomm_session_put(s);
372 }
373
374 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
375 {
376         struct rfcomm_dlc *d;
377         struct list_head *p;
378
379         list_for_each(p, &s->dlcs) {
380                 d = list_entry(p, struct rfcomm_dlc, list);
381                 if (d->dlci == dlci)
382                         return d;
383         }
384         return NULL;
385 }
386
387 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
388 {
389         struct rfcomm_session *s;
390         int err = 0;
391         u8 dlci;
392
393         BT_DBG("dlc %p state %ld %s %s channel %d",
394                         d, d->state, batostr(src), batostr(dst), channel);
395
396         if (channel < 1 || channel > 30)
397                 return -EINVAL;
398
399         if (d->state != BT_OPEN && d->state != BT_CLOSED)
400                 return 0;
401
402         s = rfcomm_session_get(src, dst);
403         if (!s) {
404                 s = rfcomm_session_create(src, dst, &err);
405                 if (!s)
406                         return err;
407         }
408
409         dlci = __dlci(!s->initiator, channel);
410
411         /* Check if DLCI already exists */
412         if (rfcomm_dlc_get(s, dlci))
413                 return -EBUSY;
414
415         rfcomm_dlc_clear_state(d);
416
417         d->dlci     = dlci;
418         d->addr     = __addr(s->initiator, dlci);
419         d->priority = 7;
420
421         d->state = BT_CONFIG;
422         rfcomm_dlc_link(s, d);
423
424         d->out = 1;
425
426         d->mtu = s->mtu;
427         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
428
429         if (s->state == BT_CONNECTED) {
430                 if (rfcomm_check_security(d))
431                         rfcomm_send_pn(s, 1, d);
432                 else
433                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
434         }
435
436         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
437
438         return 0;
439 }
440
441 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
442 {
443         int r;
444
445         rfcomm_lock();
446
447         r = __rfcomm_dlc_open(d, src, dst, channel);
448
449         rfcomm_unlock();
450         return r;
451 }
452
453 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
454 {
455         struct rfcomm_session *s = d->session;
456         if (!s)
457                 return 0;
458
459         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
460                         d, d->state, d->dlci, err, s);
461
462         switch (d->state) {
463         case BT_CONNECT:
464         case BT_CONFIG:
465                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
466                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
467                         rfcomm_schedule(RFCOMM_SCHED_AUTH);
468                         break;
469                 }
470                 /* Fall through */
471
472         case BT_CONNECTED:
473                 d->state = BT_DISCONN;
474                 if (skb_queue_empty(&d->tx_queue)) {
475                         rfcomm_send_disc(s, d->dlci);
476                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
477                 } else {
478                         rfcomm_queue_disc(d);
479                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
480                 }
481                 break;
482
483         case BT_OPEN:
484         case BT_CONNECT2:
485                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
486                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
487                         rfcomm_schedule(RFCOMM_SCHED_AUTH);
488                         break;
489                 }
490                 /* Fall through */
491
492         default:
493                 rfcomm_dlc_clear_timer(d);
494
495                 rfcomm_dlc_lock(d);
496                 d->state = BT_CLOSED;
497                 d->state_change(d, err);
498                 rfcomm_dlc_unlock(d);
499
500                 skb_queue_purge(&d->tx_queue);
501                 rfcomm_dlc_unlink(d);
502         }
503
504         return 0;
505 }
506
507 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
508 {
509         int r;
510
511         rfcomm_lock();
512
513         r = __rfcomm_dlc_close(d, err);
514
515         rfcomm_unlock();
516         return r;
517 }
518
519 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
520 {
521         int len = skb->len;
522
523         if (d->state != BT_CONNECTED)
524                 return -ENOTCONN;
525
526         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
527
528         if (len > d->mtu)
529                 return -EINVAL;
530
531         rfcomm_make_uih(skb, d->addr);
532         skb_queue_tail(&d->tx_queue, skb);
533
534         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
535                 rfcomm_schedule(RFCOMM_SCHED_TX);
536         return len;
537 }
538
539 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
540 {
541         BT_DBG("dlc %p state %ld", d, d->state);
542
543         if (!d->cfc) {
544                 d->v24_sig |= RFCOMM_V24_FC;
545                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
546         }
547         rfcomm_schedule(RFCOMM_SCHED_TX);
548 }
549
550 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
551 {
552         BT_DBG("dlc %p state %ld", d, d->state);
553
554         if (!d->cfc) {
555                 d->v24_sig &= ~RFCOMM_V24_FC;
556                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
557         }
558         rfcomm_schedule(RFCOMM_SCHED_TX);
559 }
560
561 /*
562    Set/get modem status functions use _local_ status i.e. what we report
563    to the other side.
564    Remote status is provided by dlc->modem_status() callback.
565  */
566 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
567 {
568         BT_DBG("dlc %p state %ld v24_sig 0x%x",
569                         d, d->state, v24_sig);
570
571         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
572                 v24_sig |= RFCOMM_V24_FC;
573         else
574                 v24_sig &= ~RFCOMM_V24_FC;
575
576         d->v24_sig = v24_sig;
577
578         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
579                 rfcomm_schedule(RFCOMM_SCHED_TX);
580
581         return 0;
582 }
583
584 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
585 {
586         BT_DBG("dlc %p state %ld v24_sig 0x%x",
587                         d, d->state, d->v24_sig);
588
589         *v24_sig = d->v24_sig;
590         return 0;
591 }
592
593 /* ---- RFCOMM sessions ---- */
594 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
595 {
596         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
597
598         if (!s)
599                 return NULL;
600
601         BT_DBG("session %p sock %p", s, sock);
602
603         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
604
605         INIT_LIST_HEAD(&s->dlcs);
606         s->state = state;
607         s->sock  = sock;
608
609         s->mtu = RFCOMM_DEFAULT_MTU;
610         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
611
612         /* Do not increment module usage count for listening sessions.
613          * Otherwise we won't be able to unload the module. */
614         if (state != BT_LISTEN)
615                 if (!try_module_get(THIS_MODULE)) {
616                         kfree(s);
617                         return NULL;
618                 }
619
620         list_add(&s->list, &session_list);
621
622         return s;
623 }
624
625 static void rfcomm_session_del(struct rfcomm_session *s)
626 {
627         int state = s->state;
628
629         BT_DBG("session %p state %ld", s, s->state);
630
631         list_del(&s->list);
632
633         if (state == BT_CONNECTED)
634                 rfcomm_send_disc(s, 0);
635
636         rfcomm_session_clear_timer(s);
637         sock_release(s->sock);
638         kfree(s);
639
640         if (state != BT_LISTEN)
641                 module_put(THIS_MODULE);
642 }
643
644 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
645 {
646         struct rfcomm_session *s;
647         struct list_head *p, *n;
648         struct bt_sock *sk;
649         list_for_each_safe(p, n, &session_list) {
650                 s = list_entry(p, struct rfcomm_session, list);
651                 sk = bt_sk(s->sock->sk);
652
653                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
654                                 !bacmp(&sk->dst, dst))
655                         return s;
656         }
657         return NULL;
658 }
659
660 static void rfcomm_session_close(struct rfcomm_session *s, int err)
661 {
662         struct rfcomm_dlc *d;
663         struct list_head *p, *n;
664
665         BT_DBG("session %p state %ld err %d", s, s->state, err);
666
667         rfcomm_session_hold(s);
668
669         s->state = BT_CLOSED;
670
671         /* Close all dlcs */
672         list_for_each_safe(p, n, &s->dlcs) {
673                 d = list_entry(p, struct rfcomm_dlc, list);
674                 d->state = BT_CLOSED;
675                 __rfcomm_dlc_close(d, err);
676         }
677
678         rfcomm_session_clear_timer(s);
679         rfcomm_session_put(s);
680 }
681
682 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err)
683 {
684         struct rfcomm_session *s = NULL;
685         struct sockaddr_l2 addr;
686         struct socket *sock;
687         struct sock *sk;
688
689         BT_DBG("%s %s", batostr(src), batostr(dst));
690
691         *err = rfcomm_l2sock_create(&sock);
692         if (*err < 0)
693                 return NULL;
694
695         bacpy(&addr.l2_bdaddr, src);
696         addr.l2_family = AF_BLUETOOTH;
697         addr.l2_psm    = 0;
698         addr.l2_cid    = 0;
699         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
700         if (*err < 0)
701                 goto failed;
702
703         /* Set L2CAP options */
704         sk = sock->sk;
705         lock_sock(sk);
706         l2cap_pi(sk)->imtu = l2cap_mtu;
707         if (l2cap_ertm)
708                 l2cap_pi(sk)->mode = L2CAP_MODE_ERTM;
709         release_sock(sk);
710
711         s = rfcomm_session_add(sock, BT_BOUND);
712         if (!s) {
713                 *err = -ENOMEM;
714                 goto failed;
715         }
716
717         s->initiator = 1;
718
719         bacpy(&addr.l2_bdaddr, dst);
720         addr.l2_family = AF_BLUETOOTH;
721         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
722         addr.l2_cid    = 0;
723         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
724         if (*err == 0 || *err == -EINPROGRESS)
725                 return s;
726
727         rfcomm_session_del(s);
728         return NULL;
729
730 failed:
731         sock_release(sock);
732         return NULL;
733 }
734
735 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
736 {
737         struct sock *sk = s->sock->sk;
738         if (src)
739                 bacpy(src, &bt_sk(sk)->src);
740         if (dst)
741                 bacpy(dst, &bt_sk(sk)->dst);
742 }
743
744 /* ---- RFCOMM frame sending ---- */
745 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
746 {
747         struct socket *sock = s->sock;
748         struct kvec iv = { data, len };
749         struct msghdr msg;
750
751         BT_DBG("session %p len %d", s, len);
752
753         memset(&msg, 0, sizeof(msg));
754
755         return kernel_sendmsg(sock, &msg, &iv, 1, len);
756 }
757
758 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
759 {
760         struct rfcomm_cmd cmd;
761
762         BT_DBG("%p dlci %d", s, dlci);
763
764         cmd.addr = __addr(s->initiator, dlci);
765         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
766         cmd.len  = __len8(0);
767         cmd.fcs  = __fcs2((u8 *) &cmd);
768
769         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
770 }
771
772 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
773 {
774         struct rfcomm_cmd cmd;
775
776         BT_DBG("%p dlci %d", s, dlci);
777
778         cmd.addr = __addr(!s->initiator, dlci);
779         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
780         cmd.len  = __len8(0);
781         cmd.fcs  = __fcs2((u8 *) &cmd);
782
783         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
784 }
785
786 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
787 {
788         struct rfcomm_cmd cmd;
789
790         BT_DBG("%p dlci %d", s, dlci);
791
792         cmd.addr = __addr(s->initiator, dlci);
793         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
794         cmd.len  = __len8(0);
795         cmd.fcs  = __fcs2((u8 *) &cmd);
796
797         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
798 }
799
800 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
801 {
802         struct rfcomm_cmd *cmd;
803         struct sk_buff *skb;
804
805         BT_DBG("dlc %p dlci %d", d, d->dlci);
806
807         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
808         if (!skb)
809                 return -ENOMEM;
810
811         cmd = (void *) __skb_put(skb, sizeof(*cmd));
812         cmd->addr = d->addr;
813         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
814         cmd->len  = __len8(0);
815         cmd->fcs  = __fcs2((u8 *) cmd);
816
817         skb_queue_tail(&d->tx_queue, skb);
818         rfcomm_schedule(RFCOMM_SCHED_TX);
819         return 0;
820 }
821
822 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
823 {
824         struct rfcomm_cmd cmd;
825
826         BT_DBG("%p dlci %d", s, dlci);
827
828         cmd.addr = __addr(!s->initiator, dlci);
829         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
830         cmd.len  = __len8(0);
831         cmd.fcs  = __fcs2((u8 *) &cmd);
832
833         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
834 }
835
836 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
837 {
838         struct rfcomm_hdr *hdr;
839         struct rfcomm_mcc *mcc;
840         u8 buf[16], *ptr = buf;
841
842         BT_DBG("%p cr %d type %d", s, cr, type);
843
844         hdr = (void *) ptr; ptr += sizeof(*hdr);
845         hdr->addr = __addr(s->initiator, 0);
846         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
847         hdr->len  = __len8(sizeof(*mcc) + 1);
848
849         mcc = (void *) ptr; ptr += sizeof(*mcc);
850         mcc->type = __mcc_type(cr, RFCOMM_NSC);
851         mcc->len  = __len8(1);
852
853         /* Type that we didn't like */
854         *ptr = __mcc_type(cr, type); ptr++;
855
856         *ptr = __fcs(buf); ptr++;
857
858         return rfcomm_send_frame(s, buf, ptr - buf);
859 }
860
861 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
862 {
863         struct rfcomm_hdr *hdr;
864         struct rfcomm_mcc *mcc;
865         struct rfcomm_pn  *pn;
866         u8 buf[16], *ptr = buf;
867
868         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
869
870         hdr = (void *) ptr; ptr += sizeof(*hdr);
871         hdr->addr = __addr(s->initiator, 0);
872         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
873         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
874
875         mcc = (void *) ptr; ptr += sizeof(*mcc);
876         mcc->type = __mcc_type(cr, RFCOMM_PN);
877         mcc->len  = __len8(sizeof(*pn));
878
879         pn = (void *) ptr; ptr += sizeof(*pn);
880         pn->dlci        = d->dlci;
881         pn->priority    = d->priority;
882         pn->ack_timer   = 0;
883         pn->max_retrans = 0;
884
885         if (s->cfc) {
886                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
887                 pn->credits = RFCOMM_DEFAULT_CREDITS;
888         } else {
889                 pn->flow_ctrl = 0;
890                 pn->credits   = 0;
891         }
892
893         if (cr && channel_mtu >= 0)
894                 pn->mtu = cpu_to_le16(channel_mtu);
895         else
896                 pn->mtu = cpu_to_le16(d->mtu);
897
898         *ptr = __fcs(buf); ptr++;
899
900         return rfcomm_send_frame(s, buf, ptr - buf);
901 }
902
903 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
904                         u8 bit_rate, u8 data_bits, u8 stop_bits,
905                         u8 parity, u8 flow_ctrl_settings,
906                         u8 xon_char, u8 xoff_char, u16 param_mask)
907 {
908         struct rfcomm_hdr *hdr;
909         struct rfcomm_mcc *mcc;
910         struct rfcomm_rpn *rpn;
911         u8 buf[16], *ptr = buf;
912
913         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
914                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
915                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
916                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
917
918         hdr = (void *) ptr; ptr += sizeof(*hdr);
919         hdr->addr = __addr(s->initiator, 0);
920         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
921         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
922
923         mcc = (void *) ptr; ptr += sizeof(*mcc);
924         mcc->type = __mcc_type(cr, RFCOMM_RPN);
925         mcc->len  = __len8(sizeof(*rpn));
926
927         rpn = (void *) ptr; ptr += sizeof(*rpn);
928         rpn->dlci          = __addr(1, dlci);
929         rpn->bit_rate      = bit_rate;
930         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
931         rpn->flow_ctrl     = flow_ctrl_settings;
932         rpn->xon_char      = xon_char;
933         rpn->xoff_char     = xoff_char;
934         rpn->param_mask    = cpu_to_le16(param_mask);
935
936         *ptr = __fcs(buf); ptr++;
937
938         return rfcomm_send_frame(s, buf, ptr - buf);
939 }
940
941 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
942 {
943         struct rfcomm_hdr *hdr;
944         struct rfcomm_mcc *mcc;
945         struct rfcomm_rls *rls;
946         u8 buf[16], *ptr = buf;
947
948         BT_DBG("%p cr %d status 0x%x", s, cr, status);
949
950         hdr = (void *) ptr; ptr += sizeof(*hdr);
951         hdr->addr = __addr(s->initiator, 0);
952         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
953         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
954
955         mcc = (void *) ptr; ptr += sizeof(*mcc);
956         mcc->type = __mcc_type(cr, RFCOMM_RLS);
957         mcc->len  = __len8(sizeof(*rls));
958
959         rls = (void *) ptr; ptr += sizeof(*rls);
960         rls->dlci   = __addr(1, dlci);
961         rls->status = status;
962
963         *ptr = __fcs(buf); ptr++;
964
965         return rfcomm_send_frame(s, buf, ptr - buf);
966 }
967
968 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
969 {
970         struct rfcomm_hdr *hdr;
971         struct rfcomm_mcc *mcc;
972         struct rfcomm_msc *msc;
973         u8 buf[16], *ptr = buf;
974
975         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
976
977         hdr = (void *) ptr; ptr += sizeof(*hdr);
978         hdr->addr = __addr(s->initiator, 0);
979         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
980         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
981
982         mcc = (void *) ptr; ptr += sizeof(*mcc);
983         mcc->type = __mcc_type(cr, RFCOMM_MSC);
984         mcc->len  = __len8(sizeof(*msc));
985
986         msc = (void *) ptr; ptr += sizeof(*msc);
987         msc->dlci    = __addr(1, dlci);
988         msc->v24_sig = v24_sig | 0x01;
989
990         *ptr = __fcs(buf); ptr++;
991
992         return rfcomm_send_frame(s, buf, ptr - buf);
993 }
994
995 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
996 {
997         struct rfcomm_hdr *hdr;
998         struct rfcomm_mcc *mcc;
999         u8 buf[16], *ptr = buf;
1000
1001         BT_DBG("%p cr %d", s, cr);
1002
1003         hdr = (void *) ptr; ptr += sizeof(*hdr);
1004         hdr->addr = __addr(s->initiator, 0);
1005         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1006         hdr->len  = __len8(sizeof(*mcc));
1007
1008         mcc = (void *) ptr; ptr += sizeof(*mcc);
1009         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1010         mcc->len  = __len8(0);
1011
1012         *ptr = __fcs(buf); ptr++;
1013
1014         return rfcomm_send_frame(s, buf, ptr - buf);
1015 }
1016
1017 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1018 {
1019         struct rfcomm_hdr *hdr;
1020         struct rfcomm_mcc *mcc;
1021         u8 buf[16], *ptr = buf;
1022
1023         BT_DBG("%p cr %d", s, cr);
1024
1025         hdr = (void *) ptr; ptr += sizeof(*hdr);
1026         hdr->addr = __addr(s->initiator, 0);
1027         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1028         hdr->len  = __len8(sizeof(*mcc));
1029
1030         mcc = (void *) ptr; ptr += sizeof(*mcc);
1031         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1032         mcc->len  = __len8(0);
1033
1034         *ptr = __fcs(buf); ptr++;
1035
1036         return rfcomm_send_frame(s, buf, ptr - buf);
1037 }
1038
1039 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1040 {
1041         struct socket *sock = s->sock;
1042         struct kvec iv[3];
1043         struct msghdr msg;
1044         unsigned char hdr[5], crc[1];
1045
1046         if (len > 125)
1047                 return -EINVAL;
1048
1049         BT_DBG("%p cr %d", s, cr);
1050
1051         hdr[0] = __addr(s->initiator, 0);
1052         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1053         hdr[2] = 0x01 | ((len + 2) << 1);
1054         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1055         hdr[4] = 0x01 | (len << 1);
1056
1057         crc[0] = __fcs(hdr);
1058
1059         iv[0].iov_base = hdr;
1060         iv[0].iov_len  = 5;
1061         iv[1].iov_base = pattern;
1062         iv[1].iov_len  = len;
1063         iv[2].iov_base = crc;
1064         iv[2].iov_len  = 1;
1065
1066         memset(&msg, 0, sizeof(msg));
1067
1068         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1069 }
1070
1071 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1072 {
1073         struct rfcomm_hdr *hdr;
1074         u8 buf[16], *ptr = buf;
1075
1076         BT_DBG("%p addr %d credits %d", s, addr, credits);
1077
1078         hdr = (void *) ptr; ptr += sizeof(*hdr);
1079         hdr->addr = addr;
1080         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1081         hdr->len  = __len8(0);
1082
1083         *ptr = credits; ptr++;
1084
1085         *ptr = __fcs(buf); ptr++;
1086
1087         return rfcomm_send_frame(s, buf, ptr - buf);
1088 }
1089
1090 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1091 {
1092         struct rfcomm_hdr *hdr;
1093         int len = skb->len;
1094         u8 *crc;
1095
1096         if (len > 127) {
1097                 hdr = (void *) skb_push(skb, 4);
1098                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1099         } else {
1100                 hdr = (void *) skb_push(skb, 3);
1101                 hdr->len = __len8(len);
1102         }
1103         hdr->addr = addr;
1104         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1105
1106         crc = skb_put(skb, 1);
1107         *crc = __fcs((void *) hdr);
1108 }
1109
1110 /* ---- RFCOMM frame reception ---- */
1111 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1112 {
1113         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1114
1115         if (dlci) {
1116                 /* Data channel */
1117                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1118                 if (!d) {
1119                         rfcomm_send_dm(s, dlci);
1120                         return 0;
1121                 }
1122
1123                 switch (d->state) {
1124                 case BT_CONNECT:
1125                         rfcomm_dlc_clear_timer(d);
1126
1127                         rfcomm_dlc_lock(d);
1128                         d->state = BT_CONNECTED;
1129                         d->state_change(d, 0);
1130                         rfcomm_dlc_unlock(d);
1131
1132                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1133                         break;
1134
1135                 case BT_DISCONN:
1136                         d->state = BT_CLOSED;
1137                         __rfcomm_dlc_close(d, 0);
1138
1139                         if (list_empty(&s->dlcs)) {
1140                                 s->state = BT_DISCONN;
1141                                 rfcomm_send_disc(s, 0);
1142                         }
1143
1144                         break;
1145                 }
1146         } else {
1147                 /* Control channel */
1148                 switch (s->state) {
1149                 case BT_CONNECT:
1150                         s->state = BT_CONNECTED;
1151                         rfcomm_process_connect(s);
1152                         break;
1153
1154                 case BT_DISCONN:
1155                         /* When socket is closed and we are not RFCOMM
1156                          * initiator rfcomm_process_rx already calls
1157                          * rfcomm_session_put() */
1158                         if (s->sock->sk->sk_state != BT_CLOSED)
1159                                 rfcomm_session_put(s);
1160                         break;
1161                 }
1162         }
1163         return 0;
1164 }
1165
1166 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1167 {
1168         int err = 0;
1169
1170         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1171
1172         if (dlci) {
1173                 /* Data DLC */
1174                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1175                 if (d) {
1176                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1177                                 err = ECONNREFUSED;
1178                         else
1179                                 err = ECONNRESET;
1180
1181                         d->state = BT_CLOSED;
1182                         __rfcomm_dlc_close(d, err);
1183                 }
1184         } else {
1185                 if (s->state == BT_CONNECT)
1186                         err = ECONNREFUSED;
1187                 else
1188                         err = ECONNRESET;
1189
1190                 s->state = BT_CLOSED;
1191                 rfcomm_session_close(s, err);
1192         }
1193         return 0;
1194 }
1195
1196 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1197 {
1198         int err = 0;
1199
1200         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1201
1202         if (dlci) {
1203                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1204                 if (d) {
1205                         rfcomm_send_ua(s, dlci);
1206
1207                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1208                                 err = ECONNREFUSED;
1209                         else
1210                                 err = ECONNRESET;
1211
1212                         d->state = BT_CLOSED;
1213                         __rfcomm_dlc_close(d, err);
1214                 } else
1215                         rfcomm_send_dm(s, dlci);
1216
1217         } else {
1218                 rfcomm_send_ua(s, 0);
1219
1220                 if (s->state == BT_CONNECT)
1221                         err = ECONNREFUSED;
1222                 else
1223                         err = ECONNRESET;
1224
1225                 s->state = BT_CLOSED;
1226                 rfcomm_session_close(s, err);
1227         }
1228
1229         return 0;
1230 }
1231
1232 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1233 {
1234         struct sock *sk = d->session->sock->sk;
1235
1236         BT_DBG("dlc %p", d);
1237
1238         rfcomm_send_ua(d->session, d->dlci);
1239
1240         rfcomm_dlc_clear_timer(d);
1241
1242         rfcomm_dlc_lock(d);
1243         d->state = BT_CONNECTED;
1244         d->state_change(d, 0);
1245         rfcomm_dlc_unlock(d);
1246
1247         if (d->role_switch)
1248                 hci_conn_switch_role(l2cap_pi(sk)->conn->hcon, 0x00);
1249
1250         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1251 }
1252
1253 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1254 {
1255         if (rfcomm_check_security(d)) {
1256                 if (d->defer_setup) {
1257                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1258                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1259
1260                         rfcomm_dlc_lock(d);
1261                         d->state = BT_CONNECT2;
1262                         d->state_change(d, 0);
1263                         rfcomm_dlc_unlock(d);
1264                 } else
1265                         rfcomm_dlc_accept(d);
1266         } else {
1267                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1268                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1269         }
1270 }
1271
1272 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1273 {
1274         struct rfcomm_dlc *d;
1275         u8 channel;
1276
1277         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1278
1279         if (!dlci) {
1280                 rfcomm_send_ua(s, 0);
1281
1282                 if (s->state == BT_OPEN) {
1283                         s->state = BT_CONNECTED;
1284                         rfcomm_process_connect(s);
1285                 }
1286                 return 0;
1287         }
1288
1289         /* Check if DLC exists */
1290         d = rfcomm_dlc_get(s, dlci);
1291         if (d) {
1292                 if (d->state == BT_OPEN) {
1293                         /* DLC was previously opened by PN request */
1294                         rfcomm_check_accept(d);
1295                 }
1296                 return 0;
1297         }
1298
1299         /* Notify socket layer about incoming connection */
1300         channel = __srv_channel(dlci);
1301         if (rfcomm_connect_ind(s, channel, &d)) {
1302                 d->dlci = dlci;
1303                 d->addr = __addr(s->initiator, dlci);
1304                 rfcomm_dlc_link(s, d);
1305
1306                 rfcomm_check_accept(d);
1307         } else {
1308                 rfcomm_send_dm(s, dlci);
1309         }
1310
1311         return 0;
1312 }
1313
1314 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1315 {
1316         struct rfcomm_session *s = d->session;
1317
1318         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1319                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1320
1321         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1322                                                 pn->flow_ctrl == 0xe0) {
1323                 d->cfc = RFCOMM_CFC_ENABLED;
1324                 d->tx_credits = pn->credits;
1325         } else {
1326                 d->cfc = RFCOMM_CFC_DISABLED;
1327                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1328         }
1329
1330         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1331                 s->cfc = d->cfc;
1332
1333         d->priority = pn->priority;
1334
1335         d->mtu = __le16_to_cpu(pn->mtu);
1336
1337         if (cr && d->mtu > s->mtu)
1338                 d->mtu = s->mtu;
1339
1340         return 0;
1341 }
1342
1343 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1344 {
1345         struct rfcomm_pn *pn = (void *) skb->data;
1346         struct rfcomm_dlc *d;
1347         u8 dlci = pn->dlci;
1348
1349         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1350
1351         if (!dlci)
1352                 return 0;
1353
1354         d = rfcomm_dlc_get(s, dlci);
1355         if (d) {
1356                 if (cr) {
1357                         /* PN request */
1358                         rfcomm_apply_pn(d, cr, pn);
1359                         rfcomm_send_pn(s, 0, d);
1360                 } else {
1361                         /* PN response */
1362                         switch (d->state) {
1363                         case BT_CONFIG:
1364                                 rfcomm_apply_pn(d, cr, pn);
1365
1366                                 d->state = BT_CONNECT;
1367                                 rfcomm_send_sabm(s, d->dlci);
1368                                 break;
1369                         }
1370                 }
1371         } else {
1372                 u8 channel = __srv_channel(dlci);
1373
1374                 if (!cr)
1375                         return 0;
1376
1377                 /* PN request for non existing DLC.
1378                  * Assume incoming connection. */
1379                 if (rfcomm_connect_ind(s, channel, &d)) {
1380                         d->dlci = dlci;
1381                         d->addr = __addr(s->initiator, dlci);
1382                         rfcomm_dlc_link(s, d);
1383
1384                         rfcomm_apply_pn(d, cr, pn);
1385
1386                         d->state = BT_OPEN;
1387                         rfcomm_send_pn(s, 0, d);
1388                 } else {
1389                         rfcomm_send_dm(s, dlci);
1390                 }
1391         }
1392         return 0;
1393 }
1394
1395 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1396 {
1397         struct rfcomm_rpn *rpn = (void *) skb->data;
1398         u8 dlci = __get_dlci(rpn->dlci);
1399
1400         u8 bit_rate  = 0;
1401         u8 data_bits = 0;
1402         u8 stop_bits = 0;
1403         u8 parity    = 0;
1404         u8 flow_ctrl = 0;
1405         u8 xon_char  = 0;
1406         u8 xoff_char = 0;
1407         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1408
1409         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1410                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1411                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1412
1413         if (!cr)
1414                 return 0;
1415
1416         if (len == 1) {
1417                 /* This is a request, return default settings */
1418                 bit_rate  = RFCOMM_RPN_BR_115200;
1419                 data_bits = RFCOMM_RPN_DATA_8;
1420                 stop_bits = RFCOMM_RPN_STOP_1;
1421                 parity    = RFCOMM_RPN_PARITY_NONE;
1422                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1423                 xon_char  = RFCOMM_RPN_XON_CHAR;
1424                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1425                 goto rpn_out;
1426         }
1427
1428         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1429          * no parity, no flow control lines, normal XON/XOFF chars */
1430
1431         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1432                 bit_rate = rpn->bit_rate;
1433                 if (bit_rate != RFCOMM_RPN_BR_115200) {
1434                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1435                         bit_rate = RFCOMM_RPN_BR_115200;
1436                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1437                 }
1438         }
1439
1440         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1441                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1442                 if (data_bits != RFCOMM_RPN_DATA_8) {
1443                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1444                         data_bits = RFCOMM_RPN_DATA_8;
1445                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1446                 }
1447         }
1448
1449         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1450                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1451                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1452                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1453                         stop_bits = RFCOMM_RPN_STOP_1;
1454                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1455                 }
1456         }
1457
1458         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1459                 parity = __get_rpn_parity(rpn->line_settings);
1460                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1461                         BT_DBG("RPN parity mismatch 0x%x", parity);
1462                         parity = RFCOMM_RPN_PARITY_NONE;
1463                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1464                 }
1465         }
1466
1467         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1468                 flow_ctrl = rpn->flow_ctrl;
1469                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1470                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1471                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1472                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1473                 }
1474         }
1475
1476         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1477                 xon_char = rpn->xon_char;
1478                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1479                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1480                         xon_char = RFCOMM_RPN_XON_CHAR;
1481                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1482                 }
1483         }
1484
1485         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1486                 xoff_char = rpn->xoff_char;
1487                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1488                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1489                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1490                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1491                 }
1492         }
1493
1494 rpn_out:
1495         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1496                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1497
1498         return 0;
1499 }
1500
1501 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1502 {
1503         struct rfcomm_rls *rls = (void *) skb->data;
1504         u8 dlci = __get_dlci(rls->dlci);
1505
1506         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1507
1508         if (!cr)
1509                 return 0;
1510
1511         /* We should probably do something with this information here. But
1512          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1513          * mandatory to recognise and respond to RLS */
1514
1515         rfcomm_send_rls(s, 0, dlci, rls->status);
1516
1517         return 0;
1518 }
1519
1520 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1521 {
1522         struct rfcomm_msc *msc = (void *) skb->data;
1523         struct rfcomm_dlc *d;
1524         u8 dlci = __get_dlci(msc->dlci);
1525
1526         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1527
1528         d = rfcomm_dlc_get(s, dlci);
1529         if (!d)
1530                 return 0;
1531
1532         if (cr) {
1533                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1534                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1535                 else
1536                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1537
1538                 rfcomm_dlc_lock(d);
1539
1540                 d->remote_v24_sig = msc->v24_sig;
1541
1542                 if (d->modem_status)
1543                         d->modem_status(d, msc->v24_sig);
1544
1545                 rfcomm_dlc_unlock(d);
1546
1547                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1548
1549                 d->mscex |= RFCOMM_MSCEX_RX;
1550         } else
1551                 d->mscex |= RFCOMM_MSCEX_TX;
1552
1553         return 0;
1554 }
1555
1556 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1557 {
1558         struct rfcomm_mcc *mcc = (void *) skb->data;
1559         u8 type, cr, len;
1560
1561         cr   = __test_cr(mcc->type);
1562         type = __get_mcc_type(mcc->type);
1563         len  = __get_mcc_len(mcc->len);
1564
1565         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1566
1567         skb_pull(skb, 2);
1568
1569         switch (type) {
1570         case RFCOMM_PN:
1571                 rfcomm_recv_pn(s, cr, skb);
1572                 break;
1573
1574         case RFCOMM_RPN:
1575                 rfcomm_recv_rpn(s, cr, len, skb);
1576                 break;
1577
1578         case RFCOMM_RLS:
1579                 rfcomm_recv_rls(s, cr, skb);
1580                 break;
1581
1582         case RFCOMM_MSC:
1583                 rfcomm_recv_msc(s, cr, skb);
1584                 break;
1585
1586         case RFCOMM_FCOFF:
1587                 if (cr) {
1588                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1589                         rfcomm_send_fcoff(s, 0);
1590                 }
1591                 break;
1592
1593         case RFCOMM_FCON:
1594                 if (cr) {
1595                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1596                         rfcomm_send_fcon(s, 0);
1597                 }
1598                 break;
1599
1600         case RFCOMM_TEST:
1601                 if (cr)
1602                         rfcomm_send_test(s, 0, skb->data, skb->len);
1603                 break;
1604
1605         case RFCOMM_NSC:
1606                 break;
1607
1608         default:
1609                 BT_ERR("Unknown control type 0x%02x", type);
1610                 rfcomm_send_nsc(s, cr, type);
1611                 break;
1612         }
1613         return 0;
1614 }
1615
1616 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1617 {
1618         struct rfcomm_dlc *d;
1619
1620         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1621
1622         d = rfcomm_dlc_get(s, dlci);
1623         if (!d) {
1624                 rfcomm_send_dm(s, dlci);
1625                 goto drop;
1626         }
1627
1628         if (pf && d->cfc) {
1629                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1630
1631                 d->tx_credits += credits;
1632                 if (d->tx_credits)
1633                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1634         }
1635
1636         if (skb->len && d->state == BT_CONNECTED) {
1637                 rfcomm_dlc_lock(d);
1638                 d->rx_credits--;
1639                 d->data_ready(d, skb);
1640                 rfcomm_dlc_unlock(d);
1641                 return 0;
1642         }
1643
1644 drop:
1645         kfree_skb(skb);
1646         return 0;
1647 }
1648
1649 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1650 {
1651         struct rfcomm_hdr *hdr = (void *) skb->data;
1652         u8 type, dlci, fcs;
1653
1654         dlci = __get_dlci(hdr->addr);
1655         type = __get_type(hdr->ctrl);
1656
1657         /* Trim FCS */
1658         skb->len--; skb->tail--;
1659         fcs = *(u8 *)skb_tail_pointer(skb);
1660
1661         if (__check_fcs(skb->data, type, fcs)) {
1662                 BT_ERR("bad checksum in packet");
1663                 kfree_skb(skb);
1664                 return -EILSEQ;
1665         }
1666
1667         if (__test_ea(hdr->len))
1668                 skb_pull(skb, 3);
1669         else
1670                 skb_pull(skb, 4);
1671
1672         switch (type) {
1673         case RFCOMM_SABM:
1674                 if (__test_pf(hdr->ctrl))
1675                         rfcomm_recv_sabm(s, dlci);
1676                 break;
1677
1678         case RFCOMM_DISC:
1679                 if (__test_pf(hdr->ctrl))
1680                         rfcomm_recv_disc(s, dlci);
1681                 break;
1682
1683         case RFCOMM_UA:
1684                 if (__test_pf(hdr->ctrl))
1685                         rfcomm_recv_ua(s, dlci);
1686                 break;
1687
1688         case RFCOMM_DM:
1689                 rfcomm_recv_dm(s, dlci);
1690                 break;
1691
1692         case RFCOMM_UIH:
1693                 if (dlci)
1694                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1695
1696                 rfcomm_recv_mcc(s, skb);
1697                 break;
1698
1699         default:
1700                 BT_ERR("Unknown packet type 0x%02x\n", type);
1701                 break;
1702         }
1703         kfree_skb(skb);
1704         return 0;
1705 }
1706
1707 /* ---- Connection and data processing ---- */
1708
1709 static void rfcomm_process_connect(struct rfcomm_session *s)
1710 {
1711         struct rfcomm_dlc *d;
1712         struct list_head *p, *n;
1713
1714         BT_DBG("session %p state %ld", s, s->state);
1715
1716         list_for_each_safe(p, n, &s->dlcs) {
1717                 d = list_entry(p, struct rfcomm_dlc, list);
1718                 if (d->state == BT_CONFIG) {
1719                         d->mtu = s->mtu;
1720                         if (rfcomm_check_security(d)) {
1721                                 rfcomm_send_pn(s, 1, d);
1722                         } else {
1723                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1724                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1725                         }
1726                 }
1727         }
1728 }
1729
1730 /* Send data queued for the DLC.
1731  * Return number of frames left in the queue.
1732  */
1733 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1734 {
1735         struct sk_buff *skb;
1736         int err;
1737
1738         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1739                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1740
1741         /* Send pending MSC */
1742         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1743                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1744
1745         if (d->cfc) {
1746                 /* CFC enabled.
1747                  * Give them some credits */
1748                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1749                                 d->rx_credits <= (d->cfc >> 2)) {
1750                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1751                         d->rx_credits = d->cfc;
1752                 }
1753         } else {
1754                 /* CFC disabled.
1755                  * Give ourselves some credits */
1756                 d->tx_credits = 5;
1757         }
1758
1759         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1760                 return skb_queue_len(&d->tx_queue);
1761
1762         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1763                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1764                 if (err < 0) {
1765                         skb_queue_head(&d->tx_queue, skb);
1766                         break;
1767                 }
1768                 kfree_skb(skb);
1769                 d->tx_credits--;
1770         }
1771
1772         if (d->cfc && !d->tx_credits) {
1773                 /* We're out of TX credits.
1774                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1775                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1776         }
1777
1778         return skb_queue_len(&d->tx_queue);
1779 }
1780
1781 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1782 {
1783         struct rfcomm_dlc *d;
1784         struct list_head *p, *n;
1785
1786         BT_DBG("session %p state %ld", s, s->state);
1787
1788         list_for_each_safe(p, n, &s->dlcs) {
1789                 d = list_entry(p, struct rfcomm_dlc, list);
1790
1791                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1792                         __rfcomm_dlc_close(d, ETIMEDOUT);
1793                         continue;
1794                 }
1795
1796                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1797                         rfcomm_dlc_clear_timer(d);
1798                         if (d->out) {
1799                                 rfcomm_send_pn(s, 1, d);
1800                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1801                         } else {
1802                                 if (d->defer_setup) {
1803                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1804                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1805
1806                                         rfcomm_dlc_lock(d);
1807                                         d->state = BT_CONNECT2;
1808                                         d->state_change(d, 0);
1809                                         rfcomm_dlc_unlock(d);
1810                                 } else
1811                                         rfcomm_dlc_accept(d);
1812                         }
1813                         continue;
1814                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1815                         rfcomm_dlc_clear_timer(d);
1816                         if (!d->out)
1817                                 rfcomm_send_dm(s, d->dlci);
1818                         else
1819                                 d->state = BT_CLOSED;
1820                         __rfcomm_dlc_close(d, ECONNREFUSED);
1821                         continue;
1822                 }
1823
1824                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1825                         continue;
1826
1827                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1828                         continue;
1829
1830                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1831                                                 d->mscex == RFCOMM_MSCEX_OK)
1832                         rfcomm_process_tx(d);
1833         }
1834 }
1835
1836 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1837 {
1838         struct socket *sock = s->sock;
1839         struct sock *sk = sock->sk;
1840         struct sk_buff *skb;
1841
1842         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1843
1844         /* Get data directly from socket receive queue without copying it. */
1845         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1846                 skb_orphan(skb);
1847                 rfcomm_recv_frame(s, skb);
1848         }
1849
1850         if (sk->sk_state == BT_CLOSED) {
1851                 if (!s->initiator)
1852                         rfcomm_session_put(s);
1853
1854                 rfcomm_session_close(s, sk->sk_err);
1855         }
1856 }
1857
1858 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1859 {
1860         struct socket *sock = s->sock, *nsock;
1861         int err;
1862
1863         /* Fast check for a new connection.
1864          * Avoids unnesesary socket allocations. */
1865         if (list_empty(&bt_sk(sock->sk)->accept_q))
1866                 return;
1867
1868         BT_DBG("session %p", s);
1869
1870         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1871         if (err < 0)
1872                 return;
1873
1874         /* Set our callbacks */
1875         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1876         nsock->sk->sk_state_change = rfcomm_l2state_change;
1877
1878         s = rfcomm_session_add(nsock, BT_OPEN);
1879         if (s) {
1880                 rfcomm_session_hold(s);
1881
1882                 /* We should adjust MTU on incoming sessions.
1883                  * L2CAP MTU minus UIH header and FCS. */
1884                 s->mtu = min(l2cap_pi(nsock->sk)->omtu, l2cap_pi(nsock->sk)->imtu) - 5;
1885
1886                 rfcomm_schedule(RFCOMM_SCHED_RX);
1887         } else
1888                 sock_release(nsock);
1889 }
1890
1891 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1892 {
1893         struct sock *sk = s->sock->sk;
1894
1895         BT_DBG("%p state %ld", s, s->state);
1896
1897         switch(sk->sk_state) {
1898         case BT_CONNECTED:
1899                 s->state = BT_CONNECT;
1900
1901                 /* We can adjust MTU on outgoing sessions.
1902                  * L2CAP MTU minus UIH header and FCS. */
1903                 s->mtu = min(l2cap_pi(sk)->omtu, l2cap_pi(sk)->imtu) - 5;
1904
1905                 rfcomm_send_sabm(s, 0);
1906                 break;
1907
1908         case BT_CLOSED:
1909                 s->state = BT_CLOSED;
1910                 rfcomm_session_close(s, sk->sk_err);
1911                 break;
1912         }
1913 }
1914
1915 static inline void rfcomm_process_sessions(void)
1916 {
1917         struct list_head *p, *n;
1918
1919         rfcomm_lock();
1920
1921         list_for_each_safe(p, n, &session_list) {
1922                 struct rfcomm_session *s;
1923                 s = list_entry(p, struct rfcomm_session, list);
1924
1925                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1926                         s->state = BT_DISCONN;
1927                         rfcomm_send_disc(s, 0);
1928                         rfcomm_session_put(s);
1929                         continue;
1930                 }
1931
1932                 if (s->state == BT_LISTEN) {
1933                         rfcomm_accept_connection(s);
1934                         continue;
1935                 }
1936
1937                 rfcomm_session_hold(s);
1938
1939                 switch (s->state) {
1940                 case BT_BOUND:
1941                         rfcomm_check_connection(s);
1942                         break;
1943
1944                 default:
1945                         rfcomm_process_rx(s);
1946                         break;
1947                 }
1948
1949                 rfcomm_process_dlcs(s);
1950
1951                 rfcomm_session_put(s);
1952         }
1953
1954         rfcomm_unlock();
1955 }
1956
1957 static int rfcomm_add_listener(bdaddr_t *ba)
1958 {
1959         struct sockaddr_l2 addr;
1960         struct socket *sock;
1961         struct sock *sk;
1962         struct rfcomm_session *s;
1963         int    err = 0;
1964
1965         /* Create socket */
1966         err = rfcomm_l2sock_create(&sock);
1967         if (err < 0) {
1968                 BT_ERR("Create socket failed %d", err);
1969                 return err;
1970         }
1971
1972         /* Bind socket */
1973         bacpy(&addr.l2_bdaddr, ba);
1974         addr.l2_family = AF_BLUETOOTH;
1975         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
1976         addr.l2_cid    = 0;
1977         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1978         if (err < 0) {
1979                 BT_ERR("Bind failed %d", err);
1980                 goto failed;
1981         }
1982
1983         /* Set L2CAP options */
1984         sk = sock->sk;
1985         lock_sock(sk);
1986         l2cap_pi(sk)->imtu = l2cap_mtu;
1987         release_sock(sk);
1988
1989         /* Start listening on the socket */
1990         err = kernel_listen(sock, 10);
1991         if (err) {
1992                 BT_ERR("Listen failed %d", err);
1993                 goto failed;
1994         }
1995
1996         /* Add listening session */
1997         s = rfcomm_session_add(sock, BT_LISTEN);
1998         if (!s)
1999                 goto failed;
2000
2001         rfcomm_session_hold(s);
2002         return 0;
2003 failed:
2004         sock_release(sock);
2005         return err;
2006 }
2007
2008 static void rfcomm_kill_listener(void)
2009 {
2010         struct rfcomm_session *s;
2011         struct list_head *p, *n;
2012
2013         BT_DBG("");
2014
2015         list_for_each_safe(p, n, &session_list) {
2016                 s = list_entry(p, struct rfcomm_session, list);
2017                 rfcomm_session_del(s);
2018         }
2019 }
2020
2021 static int rfcomm_run(void *unused)
2022 {
2023         BT_DBG("");
2024
2025         set_user_nice(current, -10);
2026
2027         rfcomm_add_listener(BDADDR_ANY);
2028
2029         while (!kthread_should_stop()) {
2030                 set_current_state(TASK_INTERRUPTIBLE);
2031                 if (!test_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event)) {
2032                         /* No pending events. Let's sleep.
2033                          * Incoming connections and data will wake us up. */
2034                         schedule();
2035                 }
2036                 set_current_state(TASK_RUNNING);
2037
2038                 /* Process stuff */
2039                 clear_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
2040                 rfcomm_process_sessions();
2041         }
2042
2043         rfcomm_kill_listener();
2044
2045         return 0;
2046 }
2047
2048 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2049 {
2050         struct rfcomm_session *s;
2051         struct rfcomm_dlc *d;
2052         struct list_head *p, *n;
2053
2054         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2055
2056         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2057         if (!s)
2058                 return;
2059
2060         rfcomm_session_hold(s);
2061
2062         list_for_each_safe(p, n, &s->dlcs) {
2063                 d = list_entry(p, struct rfcomm_dlc, list);
2064
2065                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2066                         rfcomm_dlc_clear_timer(d);
2067                         if (status || encrypt == 0x00) {
2068                                 __rfcomm_dlc_close(d, ECONNREFUSED);
2069                                 continue;
2070                         }
2071                 }
2072
2073                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2074                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2075                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2076                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2077                                 continue;
2078                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2079                                 __rfcomm_dlc_close(d, ECONNREFUSED);
2080                                 continue;
2081                         }
2082                 }
2083
2084                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2085                         continue;
2086
2087                 if (!status)
2088                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2089                 else
2090                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2091         }
2092
2093         rfcomm_session_put(s);
2094
2095         rfcomm_schedule(RFCOMM_SCHED_AUTH);
2096 }
2097
2098 static struct hci_cb rfcomm_cb = {
2099         .name           = "RFCOMM",
2100         .security_cfm   = rfcomm_security_cfm
2101 };
2102
2103 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2104 {
2105         struct rfcomm_session *s;
2106         struct list_head *pp, *p;
2107
2108         rfcomm_lock();
2109
2110         list_for_each(p, &session_list) {
2111                 s = list_entry(p, struct rfcomm_session, list);
2112                 list_for_each(pp, &s->dlcs) {
2113                         struct sock *sk = s->sock->sk;
2114                         struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
2115
2116                         seq_printf(f, "%s %s %ld %d %d %d %d\n",
2117                                                 batostr(&bt_sk(sk)->src),
2118                                                 batostr(&bt_sk(sk)->dst),
2119                                                 d->state, d->dlci, d->mtu,
2120                                                 d->rx_credits, d->tx_credits);
2121                 }
2122         }
2123
2124         rfcomm_unlock();
2125
2126         return 0;
2127 }
2128
2129 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2130 {
2131         return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2132 }
2133
2134 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2135         .open           = rfcomm_dlc_debugfs_open,
2136         .read           = seq_read,
2137         .llseek         = seq_lseek,
2138         .release        = single_release,
2139 };
2140
2141 static struct dentry *rfcomm_dlc_debugfs;
2142
2143 /* ---- Initialization ---- */
2144 static int __init rfcomm_init(void)
2145 {
2146         int err;
2147
2148         l2cap_load();
2149
2150         hci_register_cb(&rfcomm_cb);
2151
2152         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2153         if (IS_ERR(rfcomm_thread)) {
2154                 err = PTR_ERR(rfcomm_thread);
2155                 goto unregister;
2156         }
2157
2158         if (bt_debugfs) {
2159                 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2160                                 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2161                 if (!rfcomm_dlc_debugfs)
2162                         BT_ERR("Failed to create RFCOMM debug file");
2163         }
2164
2165         err = rfcomm_init_ttys();
2166         if (err < 0)
2167                 goto stop;
2168
2169         err = rfcomm_init_sockets();
2170         if (err < 0)
2171                 goto cleanup;
2172
2173         BT_INFO("RFCOMM ver %s", VERSION);
2174
2175         return 0;
2176
2177 cleanup:
2178         rfcomm_cleanup_ttys();
2179
2180 stop:
2181         kthread_stop(rfcomm_thread);
2182
2183 unregister:
2184         hci_unregister_cb(&rfcomm_cb);
2185
2186         return err;
2187 }
2188
2189 static void __exit rfcomm_exit(void)
2190 {
2191         debugfs_remove(rfcomm_dlc_debugfs);
2192
2193         hci_unregister_cb(&rfcomm_cb);
2194
2195         kthread_stop(rfcomm_thread);
2196
2197         rfcomm_cleanup_ttys();
2198
2199         rfcomm_cleanup_sockets();
2200 }
2201
2202 module_init(rfcomm_init);
2203 module_exit(rfcomm_exit);
2204
2205 module_param(disable_cfc, bool, 0644);
2206 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2207
2208 module_param(channel_mtu, int, 0644);
2209 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2210
2211 module_param(l2cap_mtu, uint, 0644);
2212 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2213
2214 module_param(l2cap_ertm, bool, 0644);
2215 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2216
2217 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2218 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2219 MODULE_VERSION(VERSION);
2220 MODULE_LICENSE("GPL");
2221 MODULE_ALIAS("bt-proto-3");