cf164073269dd2b2fa5aa2a98f1ed17693244233
[linux-2.6.git] / net / bluetooth / rfcomm / core.c
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25  * Bluetooth RFCOMM core.
26  */
27
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/kernel.h>
31 #include <linux/sched.h>
32 #include <linux/signal.h>
33 #include <linux/init.h>
34 #include <linux/wait.h>
35 #include <linux/device.h>
36 #include <linux/net.h>
37 #include <linux/mutex.h>
38 #include <linux/kthread.h>
39
40 #include <net/sock.h>
41 #include <asm/uaccess.h>
42 #include <asm/unaligned.h>
43
44 #include <net/bluetooth/bluetooth.h>
45 #include <net/bluetooth/hci_core.h>
46 #include <net/bluetooth/l2cap.h>
47 #include <net/bluetooth/rfcomm.h>
48
49 #define VERSION "1.11"
50
51 static int disable_cfc = 0;
52 static int channel_mtu = -1;
53 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
54 static int l2cap_ertm = 0;
55
56 static struct task_struct *rfcomm_thread;
57
58 static DEFINE_MUTEX(rfcomm_mutex);
59 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
60 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
61
62 static unsigned long rfcomm_event;
63
64 static LIST_HEAD(session_list);
65
66 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
67 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
68 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
69 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
70 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
71 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
72 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
73 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
74 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
75 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
76
77 static void rfcomm_process_connect(struct rfcomm_session *s);
78
79 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err);
80 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
81 static void rfcomm_session_del(struct rfcomm_session *s);
82
83 /* ---- RFCOMM frame parsing macros ---- */
84 #define __get_dlci(b)     ((b & 0xfc) >> 2)
85 #define __get_channel(b)  ((b & 0xf8) >> 3)
86 #define __get_dir(b)      ((b & 0x04) >> 2)
87 #define __get_type(b)     ((b & 0xef))
88
89 #define __test_ea(b)      ((b & 0x01))
90 #define __test_cr(b)      ((b & 0x02))
91 #define __test_pf(b)      ((b & 0x10))
92
93 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
94 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
95 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
96 #define __srv_channel(dlci)    (dlci >> 1)
97 #define __dir(dlci)            (dlci & 0x01)
98
99 #define __len8(len)       (((len) << 1) | 1)
100 #define __len16(len)      ((len) << 1)
101
102 /* MCC macros */
103 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
104 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
105 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
106
107 /* RPN macros */
108 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
109 #define __get_rpn_data_bits(line) ((line) & 0x3)
110 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
111 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
112
113 static inline void rfcomm_schedule(uint event)
114 {
115         if (!rfcomm_thread)
116                 return;
117         //set_bit(event, &rfcomm_event);
118         set_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
119         wake_up_process(rfcomm_thread);
120 }
121
122 static inline void rfcomm_session_put(struct rfcomm_session *s)
123 {
124         if (atomic_dec_and_test(&s->refcnt))
125                 rfcomm_session_del(s);
126 }
127
128 /* ---- RFCOMM FCS computation ---- */
129
130 /* reversed, 8-bit, poly=0x07 */
131 static unsigned char rfcomm_crc_table[256] = {
132         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
133         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
134         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
135         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
136
137         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
138         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
139         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
140         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
141
142         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
143         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
144         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
145         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
146
147         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
148         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
149         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
150         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
151
152         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
153         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
154         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
155         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
156
157         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
158         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
159         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
160         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
161
162         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
163         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
164         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
165         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
166
167         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
168         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
169         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
170         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
171 };
172
173 /* CRC on 2 bytes */
174 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
175
176 /* FCS on 2 bytes */
177 static inline u8 __fcs(u8 *data)
178 {
179         return (0xff - __crc(data));
180 }
181
182 /* FCS on 3 bytes */
183 static inline u8 __fcs2(u8 *data)
184 {
185         return (0xff - rfcomm_crc_table[__crc(data) ^ data[2]]);
186 }
187
188 /* Check FCS */
189 static inline int __check_fcs(u8 *data, int type, u8 fcs)
190 {
191         u8 f = __crc(data);
192
193         if (type != RFCOMM_UIH)
194                 f = rfcomm_crc_table[f ^ data[2]];
195
196         return rfcomm_crc_table[f ^ fcs] != 0xcf;
197 }
198
199 /* ---- L2CAP callbacks ---- */
200 static void rfcomm_l2state_change(struct sock *sk)
201 {
202         BT_DBG("%p state %d", sk, sk->sk_state);
203         rfcomm_schedule(RFCOMM_SCHED_STATE);
204 }
205
206 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
207 {
208         BT_DBG("%p bytes %d", sk, bytes);
209         rfcomm_schedule(RFCOMM_SCHED_RX);
210 }
211
212 static int rfcomm_l2sock_create(struct socket **sock)
213 {
214         int err;
215
216         BT_DBG("");
217
218         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
219         if (!err) {
220                 struct sock *sk = (*sock)->sk;
221                 sk->sk_data_ready   = rfcomm_l2data_ready;
222                 sk->sk_state_change = rfcomm_l2state_change;
223         }
224         return err;
225 }
226
227 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
228 {
229         struct sock *sk = d->session->sock->sk;
230         __u8 auth_type;
231
232         switch (d->sec_level) {
233         case BT_SECURITY_HIGH:
234                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
235                 break;
236         case BT_SECURITY_MEDIUM:
237                 auth_type = HCI_AT_GENERAL_BONDING;
238                 break;
239         default:
240                 auth_type = HCI_AT_NO_BONDING;
241                 break;
242         }
243
244         return hci_conn_security(l2cap_pi(sk)->conn->hcon, d->sec_level,
245                                                                 auth_type);
246 }
247
248 static void rfcomm_session_timeout(unsigned long arg)
249 {
250         struct rfcomm_session *s = (void *) arg;
251
252         BT_DBG("session %p state %ld", s, s->state);
253
254         set_bit(RFCOMM_TIMED_OUT, &s->flags);
255         rfcomm_schedule(RFCOMM_SCHED_TIMEO);
256 }
257
258 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
259 {
260         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
261
262         if (!mod_timer(&s->timer, jiffies + timeout))
263                 rfcomm_session_hold(s);
264 }
265
266 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
267 {
268         BT_DBG("session %p state %ld", s, s->state);
269
270         if (timer_pending(&s->timer) && del_timer(&s->timer))
271                 rfcomm_session_put(s);
272 }
273
274 /* ---- RFCOMM DLCs ---- */
275 static void rfcomm_dlc_timeout(unsigned long arg)
276 {
277         struct rfcomm_dlc *d = (void *) arg;
278
279         BT_DBG("dlc %p state %ld", d, d->state);
280
281         set_bit(RFCOMM_TIMED_OUT, &d->flags);
282         rfcomm_dlc_put(d);
283         rfcomm_schedule(RFCOMM_SCHED_TIMEO);
284 }
285
286 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
287 {
288         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
289
290         if (!mod_timer(&d->timer, jiffies + timeout))
291                 rfcomm_dlc_hold(d);
292 }
293
294 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
295 {
296         BT_DBG("dlc %p state %ld", d, d->state);
297
298         if (timer_pending(&d->timer) && del_timer(&d->timer))
299                 rfcomm_dlc_put(d);
300 }
301
302 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
303 {
304         BT_DBG("%p", d);
305
306         d->state      = BT_OPEN;
307         d->flags      = 0;
308         d->mscex      = 0;
309         d->mtu        = RFCOMM_DEFAULT_MTU;
310         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
311
312         d->cfc        = RFCOMM_CFC_DISABLED;
313         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
314 }
315
316 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
317 {
318         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
319
320         if (!d)
321                 return NULL;
322
323         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
324
325         skb_queue_head_init(&d->tx_queue);
326         spin_lock_init(&d->lock);
327         atomic_set(&d->refcnt, 1);
328
329         rfcomm_dlc_clear_state(d);
330
331         BT_DBG("%p", d);
332
333         return d;
334 }
335
336 void rfcomm_dlc_free(struct rfcomm_dlc *d)
337 {
338         BT_DBG("%p", d);
339
340         skb_queue_purge(&d->tx_queue);
341         kfree(d);
342 }
343
344 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
345 {
346         BT_DBG("dlc %p session %p", d, s);
347
348         rfcomm_session_hold(s);
349
350         rfcomm_session_clear_timer(s);
351         rfcomm_dlc_hold(d);
352         list_add(&d->list, &s->dlcs);
353         d->session = s;
354 }
355
356 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
357 {
358         struct rfcomm_session *s = d->session;
359
360         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
361
362         list_del(&d->list);
363         d->session = NULL;
364         rfcomm_dlc_put(d);
365
366         if (list_empty(&s->dlcs))
367                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
368
369         rfcomm_session_put(s);
370 }
371
372 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
373 {
374         struct rfcomm_dlc *d;
375         struct list_head *p;
376
377         list_for_each(p, &s->dlcs) {
378                 d = list_entry(p, struct rfcomm_dlc, list);
379                 if (d->dlci == dlci)
380                         return d;
381         }
382         return NULL;
383 }
384
385 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
386 {
387         struct rfcomm_session *s;
388         int err = 0;
389         u8 dlci;
390
391         BT_DBG("dlc %p state %ld %s %s channel %d",
392                         d, d->state, batostr(src), batostr(dst), channel);
393
394         if (channel < 1 || channel > 30)
395                 return -EINVAL;
396
397         if (d->state != BT_OPEN && d->state != BT_CLOSED)
398                 return 0;
399
400         s = rfcomm_session_get(src, dst);
401         if (!s) {
402                 s = rfcomm_session_create(src, dst, &err);
403                 if (!s)
404                         return err;
405         }
406
407         dlci = __dlci(!s->initiator, channel);
408
409         /* Check if DLCI already exists */
410         if (rfcomm_dlc_get(s, dlci))
411                 return -EBUSY;
412
413         rfcomm_dlc_clear_state(d);
414
415         d->dlci     = dlci;
416         d->addr     = __addr(s->initiator, dlci);
417         d->priority = 7;
418
419         d->state = BT_CONFIG;
420         rfcomm_dlc_link(s, d);
421
422         d->out = 1;
423
424         d->mtu = s->mtu;
425         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
426
427         if (s->state == BT_CONNECTED) {
428                 if (rfcomm_check_security(d))
429                         rfcomm_send_pn(s, 1, d);
430                 else
431                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
432         }
433
434         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
435
436         return 0;
437 }
438
439 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
440 {
441         int r;
442
443         rfcomm_lock();
444
445         r = __rfcomm_dlc_open(d, src, dst, channel);
446
447         rfcomm_unlock();
448         return r;
449 }
450
451 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
452 {
453         struct rfcomm_session *s = d->session;
454         if (!s)
455                 return 0;
456
457         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
458                         d, d->state, d->dlci, err, s);
459
460         switch (d->state) {
461         case BT_CONNECT:
462         case BT_CONFIG:
463                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
464                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
465                         rfcomm_schedule(RFCOMM_SCHED_AUTH);
466                         break;
467                 }
468                 /* Fall through */
469
470         case BT_CONNECTED:
471                 d->state = BT_DISCONN;
472                 if (skb_queue_empty(&d->tx_queue)) {
473                         rfcomm_send_disc(s, d->dlci);
474                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
475                 } else {
476                         rfcomm_queue_disc(d);
477                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
478                 }
479                 break;
480
481         case BT_OPEN:
482         case BT_CONNECT2:
483                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
484                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
485                         rfcomm_schedule(RFCOMM_SCHED_AUTH);
486                         break;
487                 }
488                 /* Fall through */
489
490         default:
491                 rfcomm_dlc_clear_timer(d);
492
493                 rfcomm_dlc_lock(d);
494                 d->state = BT_CLOSED;
495                 d->state_change(d, err);
496                 rfcomm_dlc_unlock(d);
497
498                 skb_queue_purge(&d->tx_queue);
499                 rfcomm_dlc_unlink(d);
500         }
501
502         return 0;
503 }
504
505 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
506 {
507         int r;
508
509         rfcomm_lock();
510
511         r = __rfcomm_dlc_close(d, err);
512
513         rfcomm_unlock();
514         return r;
515 }
516
517 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
518 {
519         int len = skb->len;
520
521         if (d->state != BT_CONNECTED)
522                 return -ENOTCONN;
523
524         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
525
526         if (len > d->mtu)
527                 return -EINVAL;
528
529         rfcomm_make_uih(skb, d->addr);
530         skb_queue_tail(&d->tx_queue, skb);
531
532         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
533                 rfcomm_schedule(RFCOMM_SCHED_TX);
534         return len;
535 }
536
537 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
538 {
539         BT_DBG("dlc %p state %ld", d, d->state);
540
541         if (!d->cfc) {
542                 d->v24_sig |= RFCOMM_V24_FC;
543                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
544         }
545         rfcomm_schedule(RFCOMM_SCHED_TX);
546 }
547
548 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
549 {
550         BT_DBG("dlc %p state %ld", d, d->state);
551
552         if (!d->cfc) {
553                 d->v24_sig &= ~RFCOMM_V24_FC;
554                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
555         }
556         rfcomm_schedule(RFCOMM_SCHED_TX);
557 }
558
559 /*
560    Set/get modem status functions use _local_ status i.e. what we report
561    to the other side.
562    Remote status is provided by dlc->modem_status() callback.
563  */
564 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
565 {
566         BT_DBG("dlc %p state %ld v24_sig 0x%x",
567                         d, d->state, v24_sig);
568
569         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
570                 v24_sig |= RFCOMM_V24_FC;
571         else
572                 v24_sig &= ~RFCOMM_V24_FC;
573
574         d->v24_sig = v24_sig;
575
576         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
577                 rfcomm_schedule(RFCOMM_SCHED_TX);
578
579         return 0;
580 }
581
582 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
583 {
584         BT_DBG("dlc %p state %ld v24_sig 0x%x",
585                         d, d->state, d->v24_sig);
586
587         *v24_sig = d->v24_sig;
588         return 0;
589 }
590
591 /* ---- RFCOMM sessions ---- */
592 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
593 {
594         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
595
596         if (!s)
597                 return NULL;
598
599         BT_DBG("session %p sock %p", s, sock);
600
601         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
602
603         INIT_LIST_HEAD(&s->dlcs);
604         s->state = state;
605         s->sock  = sock;
606
607         s->mtu = RFCOMM_DEFAULT_MTU;
608         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
609
610         /* Do not increment module usage count for listening sessions.
611          * Otherwise we won't be able to unload the module. */
612         if (state != BT_LISTEN)
613                 if (!try_module_get(THIS_MODULE)) {
614                         kfree(s);
615                         return NULL;
616                 }
617
618         list_add(&s->list, &session_list);
619
620         return s;
621 }
622
623 static void rfcomm_session_del(struct rfcomm_session *s)
624 {
625         int state = s->state;
626
627         BT_DBG("session %p state %ld", s, s->state);
628
629         list_del(&s->list);
630
631         if (state == BT_CONNECTED)
632                 rfcomm_send_disc(s, 0);
633
634         rfcomm_session_clear_timer(s);
635         sock_release(s->sock);
636         kfree(s);
637
638         if (state != BT_LISTEN)
639                 module_put(THIS_MODULE);
640 }
641
642 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
643 {
644         struct rfcomm_session *s;
645         struct list_head *p, *n;
646         struct bt_sock *sk;
647         list_for_each_safe(p, n, &session_list) {
648                 s = list_entry(p, struct rfcomm_session, list);
649                 sk = bt_sk(s->sock->sk);
650
651                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
652                                 !bacmp(&sk->dst, dst))
653                         return s;
654         }
655         return NULL;
656 }
657
658 static void rfcomm_session_close(struct rfcomm_session *s, int err)
659 {
660         struct rfcomm_dlc *d;
661         struct list_head *p, *n;
662
663         BT_DBG("session %p state %ld err %d", s, s->state, err);
664
665         rfcomm_session_hold(s);
666
667         s->state = BT_CLOSED;
668
669         /* Close all dlcs */
670         list_for_each_safe(p, n, &s->dlcs) {
671                 d = list_entry(p, struct rfcomm_dlc, list);
672                 d->state = BT_CLOSED;
673                 __rfcomm_dlc_close(d, err);
674         }
675
676         rfcomm_session_clear_timer(s);
677         rfcomm_session_put(s);
678 }
679
680 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err)
681 {
682         struct rfcomm_session *s = NULL;
683         struct sockaddr_l2 addr;
684         struct socket *sock;
685         struct sock *sk;
686
687         BT_DBG("%s %s", batostr(src), batostr(dst));
688
689         *err = rfcomm_l2sock_create(&sock);
690         if (*err < 0)
691                 return NULL;
692
693         bacpy(&addr.l2_bdaddr, src);
694         addr.l2_family = AF_BLUETOOTH;
695         addr.l2_psm    = 0;
696         addr.l2_cid    = 0;
697         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
698         if (*err < 0)
699                 goto failed;
700
701         /* Set L2CAP options */
702         sk = sock->sk;
703         lock_sock(sk);
704         l2cap_pi(sk)->imtu = l2cap_mtu;
705         if (l2cap_ertm)
706                 l2cap_pi(sk)->mode = L2CAP_MODE_ERTM;
707         release_sock(sk);
708
709         s = rfcomm_session_add(sock, BT_BOUND);
710         if (!s) {
711                 *err = -ENOMEM;
712                 goto failed;
713         }
714
715         s->initiator = 1;
716
717         bacpy(&addr.l2_bdaddr, dst);
718         addr.l2_family = AF_BLUETOOTH;
719         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
720         addr.l2_cid    = 0;
721         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
722         if (*err == 0 || *err == -EINPROGRESS)
723                 return s;
724
725         rfcomm_session_del(s);
726         return NULL;
727
728 failed:
729         sock_release(sock);
730         return NULL;
731 }
732
733 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
734 {
735         struct sock *sk = s->sock->sk;
736         if (src)
737                 bacpy(src, &bt_sk(sk)->src);
738         if (dst)
739                 bacpy(dst, &bt_sk(sk)->dst);
740 }
741
742 /* ---- RFCOMM frame sending ---- */
743 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
744 {
745         struct socket *sock = s->sock;
746         struct kvec iv = { data, len };
747         struct msghdr msg;
748
749         BT_DBG("session %p len %d", s, len);
750
751         memset(&msg, 0, sizeof(msg));
752
753         return kernel_sendmsg(sock, &msg, &iv, 1, len);
754 }
755
756 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
757 {
758         struct rfcomm_cmd cmd;
759
760         BT_DBG("%p dlci %d", s, dlci);
761
762         cmd.addr = __addr(s->initiator, dlci);
763         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
764         cmd.len  = __len8(0);
765         cmd.fcs  = __fcs2((u8 *) &cmd);
766
767         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
768 }
769
770 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
771 {
772         struct rfcomm_cmd cmd;
773
774         BT_DBG("%p dlci %d", s, dlci);
775
776         cmd.addr = __addr(!s->initiator, dlci);
777         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
778         cmd.len  = __len8(0);
779         cmd.fcs  = __fcs2((u8 *) &cmd);
780
781         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
782 }
783
784 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
785 {
786         struct rfcomm_cmd cmd;
787
788         BT_DBG("%p dlci %d", s, dlci);
789
790         cmd.addr = __addr(s->initiator, dlci);
791         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
792         cmd.len  = __len8(0);
793         cmd.fcs  = __fcs2((u8 *) &cmd);
794
795         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
796 }
797
798 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
799 {
800         struct rfcomm_cmd *cmd;
801         struct sk_buff *skb;
802
803         BT_DBG("dlc %p dlci %d", d, d->dlci);
804
805         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
806         if (!skb)
807                 return -ENOMEM;
808
809         cmd = (void *) __skb_put(skb, sizeof(*cmd));
810         cmd->addr = d->addr;
811         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
812         cmd->len  = __len8(0);
813         cmd->fcs  = __fcs2((u8 *) cmd);
814
815         skb_queue_tail(&d->tx_queue, skb);
816         rfcomm_schedule(RFCOMM_SCHED_TX);
817         return 0;
818 }
819
820 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
821 {
822         struct rfcomm_cmd cmd;
823
824         BT_DBG("%p dlci %d", s, dlci);
825
826         cmd.addr = __addr(!s->initiator, dlci);
827         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
828         cmd.len  = __len8(0);
829         cmd.fcs  = __fcs2((u8 *) &cmd);
830
831         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
832 }
833
834 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
835 {
836         struct rfcomm_hdr *hdr;
837         struct rfcomm_mcc *mcc;
838         u8 buf[16], *ptr = buf;
839
840         BT_DBG("%p cr %d type %d", s, cr, type);
841
842         hdr = (void *) ptr; ptr += sizeof(*hdr);
843         hdr->addr = __addr(s->initiator, 0);
844         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
845         hdr->len  = __len8(sizeof(*mcc) + 1);
846
847         mcc = (void *) ptr; ptr += sizeof(*mcc);
848         mcc->type = __mcc_type(cr, RFCOMM_NSC);
849         mcc->len  = __len8(1);
850
851         /* Type that we didn't like */
852         *ptr = __mcc_type(cr, type); ptr++;
853
854         *ptr = __fcs(buf); ptr++;
855
856         return rfcomm_send_frame(s, buf, ptr - buf);
857 }
858
859 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
860 {
861         struct rfcomm_hdr *hdr;
862         struct rfcomm_mcc *mcc;
863         struct rfcomm_pn  *pn;
864         u8 buf[16], *ptr = buf;
865
866         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
867
868         hdr = (void *) ptr; ptr += sizeof(*hdr);
869         hdr->addr = __addr(s->initiator, 0);
870         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
871         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
872
873         mcc = (void *) ptr; ptr += sizeof(*mcc);
874         mcc->type = __mcc_type(cr, RFCOMM_PN);
875         mcc->len  = __len8(sizeof(*pn));
876
877         pn = (void *) ptr; ptr += sizeof(*pn);
878         pn->dlci        = d->dlci;
879         pn->priority    = d->priority;
880         pn->ack_timer   = 0;
881         pn->max_retrans = 0;
882
883         if (s->cfc) {
884                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
885                 pn->credits = RFCOMM_DEFAULT_CREDITS;
886         } else {
887                 pn->flow_ctrl = 0;
888                 pn->credits   = 0;
889         }
890
891         if (cr && channel_mtu >= 0)
892                 pn->mtu = cpu_to_le16(channel_mtu);
893         else
894                 pn->mtu = cpu_to_le16(d->mtu);
895
896         *ptr = __fcs(buf); ptr++;
897
898         return rfcomm_send_frame(s, buf, ptr - buf);
899 }
900
901 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
902                         u8 bit_rate, u8 data_bits, u8 stop_bits,
903                         u8 parity, u8 flow_ctrl_settings,
904                         u8 xon_char, u8 xoff_char, u16 param_mask)
905 {
906         struct rfcomm_hdr *hdr;
907         struct rfcomm_mcc *mcc;
908         struct rfcomm_rpn *rpn;
909         u8 buf[16], *ptr = buf;
910
911         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
912                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
913                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
914                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
915
916         hdr = (void *) ptr; ptr += sizeof(*hdr);
917         hdr->addr = __addr(s->initiator, 0);
918         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
919         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
920
921         mcc = (void *) ptr; ptr += sizeof(*mcc);
922         mcc->type = __mcc_type(cr, RFCOMM_RPN);
923         mcc->len  = __len8(sizeof(*rpn));
924
925         rpn = (void *) ptr; ptr += sizeof(*rpn);
926         rpn->dlci          = __addr(1, dlci);
927         rpn->bit_rate      = bit_rate;
928         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
929         rpn->flow_ctrl     = flow_ctrl_settings;
930         rpn->xon_char      = xon_char;
931         rpn->xoff_char     = xoff_char;
932         rpn->param_mask    = cpu_to_le16(param_mask);
933
934         *ptr = __fcs(buf); ptr++;
935
936         return rfcomm_send_frame(s, buf, ptr - buf);
937 }
938
939 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
940 {
941         struct rfcomm_hdr *hdr;
942         struct rfcomm_mcc *mcc;
943         struct rfcomm_rls *rls;
944         u8 buf[16], *ptr = buf;
945
946         BT_DBG("%p cr %d status 0x%x", s, cr, status);
947
948         hdr = (void *) ptr; ptr += sizeof(*hdr);
949         hdr->addr = __addr(s->initiator, 0);
950         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
951         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
952
953         mcc = (void *) ptr; ptr += sizeof(*mcc);
954         mcc->type = __mcc_type(cr, RFCOMM_RLS);
955         mcc->len  = __len8(sizeof(*rls));
956
957         rls = (void *) ptr; ptr += sizeof(*rls);
958         rls->dlci   = __addr(1, dlci);
959         rls->status = status;
960
961         *ptr = __fcs(buf); ptr++;
962
963         return rfcomm_send_frame(s, buf, ptr - buf);
964 }
965
966 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
967 {
968         struct rfcomm_hdr *hdr;
969         struct rfcomm_mcc *mcc;
970         struct rfcomm_msc *msc;
971         u8 buf[16], *ptr = buf;
972
973         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
974
975         hdr = (void *) ptr; ptr += sizeof(*hdr);
976         hdr->addr = __addr(s->initiator, 0);
977         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
978         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
979
980         mcc = (void *) ptr; ptr += sizeof(*mcc);
981         mcc->type = __mcc_type(cr, RFCOMM_MSC);
982         mcc->len  = __len8(sizeof(*msc));
983
984         msc = (void *) ptr; ptr += sizeof(*msc);
985         msc->dlci    = __addr(1, dlci);
986         msc->v24_sig = v24_sig | 0x01;
987
988         *ptr = __fcs(buf); ptr++;
989
990         return rfcomm_send_frame(s, buf, ptr - buf);
991 }
992
993 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
994 {
995         struct rfcomm_hdr *hdr;
996         struct rfcomm_mcc *mcc;
997         u8 buf[16], *ptr = buf;
998
999         BT_DBG("%p cr %d", s, cr);
1000
1001         hdr = (void *) ptr; ptr += sizeof(*hdr);
1002         hdr->addr = __addr(s->initiator, 0);
1003         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1004         hdr->len  = __len8(sizeof(*mcc));
1005
1006         mcc = (void *) ptr; ptr += sizeof(*mcc);
1007         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1008         mcc->len  = __len8(0);
1009
1010         *ptr = __fcs(buf); ptr++;
1011
1012         return rfcomm_send_frame(s, buf, ptr - buf);
1013 }
1014
1015 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1016 {
1017         struct rfcomm_hdr *hdr;
1018         struct rfcomm_mcc *mcc;
1019         u8 buf[16], *ptr = buf;
1020
1021         BT_DBG("%p cr %d", s, cr);
1022
1023         hdr = (void *) ptr; ptr += sizeof(*hdr);
1024         hdr->addr = __addr(s->initiator, 0);
1025         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1026         hdr->len  = __len8(sizeof(*mcc));
1027
1028         mcc = (void *) ptr; ptr += sizeof(*mcc);
1029         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1030         mcc->len  = __len8(0);
1031
1032         *ptr = __fcs(buf); ptr++;
1033
1034         return rfcomm_send_frame(s, buf, ptr - buf);
1035 }
1036
1037 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1038 {
1039         struct socket *sock = s->sock;
1040         struct kvec iv[3];
1041         struct msghdr msg;
1042         unsigned char hdr[5], crc[1];
1043
1044         if (len > 125)
1045                 return -EINVAL;
1046
1047         BT_DBG("%p cr %d", s, cr);
1048
1049         hdr[0] = __addr(s->initiator, 0);
1050         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1051         hdr[2] = 0x01 | ((len + 2) << 1);
1052         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1053         hdr[4] = 0x01 | (len << 1);
1054
1055         crc[0] = __fcs(hdr);
1056
1057         iv[0].iov_base = hdr;
1058         iv[0].iov_len  = 5;
1059         iv[1].iov_base = pattern;
1060         iv[1].iov_len  = len;
1061         iv[2].iov_base = crc;
1062         iv[2].iov_len  = 1;
1063
1064         memset(&msg, 0, sizeof(msg));
1065
1066         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1067 }
1068
1069 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1070 {
1071         struct rfcomm_hdr *hdr;
1072         u8 buf[16], *ptr = buf;
1073
1074         BT_DBG("%p addr %d credits %d", s, addr, credits);
1075
1076         hdr = (void *) ptr; ptr += sizeof(*hdr);
1077         hdr->addr = addr;
1078         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1079         hdr->len  = __len8(0);
1080
1081         *ptr = credits; ptr++;
1082
1083         *ptr = __fcs(buf); ptr++;
1084
1085         return rfcomm_send_frame(s, buf, ptr - buf);
1086 }
1087
1088 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1089 {
1090         struct rfcomm_hdr *hdr;
1091         int len = skb->len;
1092         u8 *crc;
1093
1094         if (len > 127) {
1095                 hdr = (void *) skb_push(skb, 4);
1096                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1097         } else {
1098                 hdr = (void *) skb_push(skb, 3);
1099                 hdr->len = __len8(len);
1100         }
1101         hdr->addr = addr;
1102         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1103
1104         crc = skb_put(skb, 1);
1105         *crc = __fcs((void *) hdr);
1106 }
1107
1108 /* ---- RFCOMM frame reception ---- */
1109 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1110 {
1111         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1112
1113         if (dlci) {
1114                 /* Data channel */
1115                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1116                 if (!d) {
1117                         rfcomm_send_dm(s, dlci);
1118                         return 0;
1119                 }
1120
1121                 switch (d->state) {
1122                 case BT_CONNECT:
1123                         rfcomm_dlc_clear_timer(d);
1124
1125                         rfcomm_dlc_lock(d);
1126                         d->state = BT_CONNECTED;
1127                         d->state_change(d, 0);
1128                         rfcomm_dlc_unlock(d);
1129
1130                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1131                         break;
1132
1133                 case BT_DISCONN:
1134                         d->state = BT_CLOSED;
1135                         __rfcomm_dlc_close(d, 0);
1136
1137                         if (list_empty(&s->dlcs)) {
1138                                 s->state = BT_DISCONN;
1139                                 rfcomm_send_disc(s, 0);
1140                         }
1141
1142                         break;
1143                 }
1144         } else {
1145                 /* Control channel */
1146                 switch (s->state) {
1147                 case BT_CONNECT:
1148                         s->state = BT_CONNECTED;
1149                         rfcomm_process_connect(s);
1150                         break;
1151
1152                 case BT_DISCONN:
1153                         /* When socket is closed and we are not RFCOMM
1154                          * initiator rfcomm_process_rx already calls
1155                          * rfcomm_session_put() */
1156                         if (s->sock->sk->sk_state != BT_CLOSED)
1157                                 rfcomm_session_put(s);
1158                         break;
1159                 }
1160         }
1161         return 0;
1162 }
1163
1164 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1165 {
1166         int err = 0;
1167
1168         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1169
1170         if (dlci) {
1171                 /* Data DLC */
1172                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1173                 if (d) {
1174                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1175                                 err = ECONNREFUSED;
1176                         else
1177                                 err = ECONNRESET;
1178
1179                         d->state = BT_CLOSED;
1180                         __rfcomm_dlc_close(d, err);
1181                 }
1182         } else {
1183                 if (s->state == BT_CONNECT)
1184                         err = ECONNREFUSED;
1185                 else
1186                         err = ECONNRESET;
1187
1188                 s->state = BT_CLOSED;
1189                 rfcomm_session_close(s, err);
1190         }
1191         return 0;
1192 }
1193
1194 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1195 {
1196         int err = 0;
1197
1198         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1199
1200         if (dlci) {
1201                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1202                 if (d) {
1203                         rfcomm_send_ua(s, dlci);
1204
1205                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1206                                 err = ECONNREFUSED;
1207                         else
1208                                 err = ECONNRESET;
1209
1210                         d->state = BT_CLOSED;
1211                         __rfcomm_dlc_close(d, err);
1212                 } else
1213                         rfcomm_send_dm(s, dlci);
1214
1215         } else {
1216                 rfcomm_send_ua(s, 0);
1217
1218                 if (s->state == BT_CONNECT)
1219                         err = ECONNREFUSED;
1220                 else
1221                         err = ECONNRESET;
1222
1223                 s->state = BT_CLOSED;
1224                 rfcomm_session_close(s, err);
1225         }
1226
1227         return 0;
1228 }
1229
1230 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1231 {
1232         struct sock *sk = d->session->sock->sk;
1233
1234         BT_DBG("dlc %p", d);
1235
1236         rfcomm_send_ua(d->session, d->dlci);
1237
1238         rfcomm_dlc_clear_timer(d);
1239
1240         rfcomm_dlc_lock(d);
1241         d->state = BT_CONNECTED;
1242         d->state_change(d, 0);
1243         rfcomm_dlc_unlock(d);
1244
1245         if (d->role_switch)
1246                 hci_conn_switch_role(l2cap_pi(sk)->conn->hcon, 0x00);
1247
1248         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1249 }
1250
1251 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1252 {
1253         if (rfcomm_check_security(d)) {
1254                 if (d->defer_setup) {
1255                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1256                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1257
1258                         rfcomm_dlc_lock(d);
1259                         d->state = BT_CONNECT2;
1260                         d->state_change(d, 0);
1261                         rfcomm_dlc_unlock(d);
1262                 } else
1263                         rfcomm_dlc_accept(d);
1264         } else {
1265                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1266                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1267         }
1268 }
1269
1270 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1271 {
1272         struct rfcomm_dlc *d;
1273         u8 channel;
1274
1275         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1276
1277         if (!dlci) {
1278                 rfcomm_send_ua(s, 0);
1279
1280                 if (s->state == BT_OPEN) {
1281                         s->state = BT_CONNECTED;
1282                         rfcomm_process_connect(s);
1283                 }
1284                 return 0;
1285         }
1286
1287         /* Check if DLC exists */
1288         d = rfcomm_dlc_get(s, dlci);
1289         if (d) {
1290                 if (d->state == BT_OPEN) {
1291                         /* DLC was previously opened by PN request */
1292                         rfcomm_check_accept(d);
1293                 }
1294                 return 0;
1295         }
1296
1297         /* Notify socket layer about incoming connection */
1298         channel = __srv_channel(dlci);
1299         if (rfcomm_connect_ind(s, channel, &d)) {
1300                 d->dlci = dlci;
1301                 d->addr = __addr(s->initiator, dlci);
1302                 rfcomm_dlc_link(s, d);
1303
1304                 rfcomm_check_accept(d);
1305         } else {
1306                 rfcomm_send_dm(s, dlci);
1307         }
1308
1309         return 0;
1310 }
1311
1312 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1313 {
1314         struct rfcomm_session *s = d->session;
1315
1316         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1317                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1318
1319         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1320                                                 pn->flow_ctrl == 0xe0) {
1321                 d->cfc = RFCOMM_CFC_ENABLED;
1322                 d->tx_credits = pn->credits;
1323         } else {
1324                 d->cfc = RFCOMM_CFC_DISABLED;
1325                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1326         }
1327
1328         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1329                 s->cfc = d->cfc;
1330
1331         d->priority = pn->priority;
1332
1333         d->mtu = __le16_to_cpu(pn->mtu);
1334
1335         if (cr && d->mtu > s->mtu)
1336                 d->mtu = s->mtu;
1337
1338         return 0;
1339 }
1340
1341 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1342 {
1343         struct rfcomm_pn *pn = (void *) skb->data;
1344         struct rfcomm_dlc *d;
1345         u8 dlci = pn->dlci;
1346
1347         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1348
1349         if (!dlci)
1350                 return 0;
1351
1352         d = rfcomm_dlc_get(s, dlci);
1353         if (d) {
1354                 if (cr) {
1355                         /* PN request */
1356                         rfcomm_apply_pn(d, cr, pn);
1357                         rfcomm_send_pn(s, 0, d);
1358                 } else {
1359                         /* PN response */
1360                         switch (d->state) {
1361                         case BT_CONFIG:
1362                                 rfcomm_apply_pn(d, cr, pn);
1363
1364                                 d->state = BT_CONNECT;
1365                                 rfcomm_send_sabm(s, d->dlci);
1366                                 break;
1367                         }
1368                 }
1369         } else {
1370                 u8 channel = __srv_channel(dlci);
1371
1372                 if (!cr)
1373                         return 0;
1374
1375                 /* PN request for non existing DLC.
1376                  * Assume incoming connection. */
1377                 if (rfcomm_connect_ind(s, channel, &d)) {
1378                         d->dlci = dlci;
1379                         d->addr = __addr(s->initiator, dlci);
1380                         rfcomm_dlc_link(s, d);
1381
1382                         rfcomm_apply_pn(d, cr, pn);
1383
1384                         d->state = BT_OPEN;
1385                         rfcomm_send_pn(s, 0, d);
1386                 } else {
1387                         rfcomm_send_dm(s, dlci);
1388                 }
1389         }
1390         return 0;
1391 }
1392
1393 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1394 {
1395         struct rfcomm_rpn *rpn = (void *) skb->data;
1396         u8 dlci = __get_dlci(rpn->dlci);
1397
1398         u8 bit_rate  = 0;
1399         u8 data_bits = 0;
1400         u8 stop_bits = 0;
1401         u8 parity    = 0;
1402         u8 flow_ctrl = 0;
1403         u8 xon_char  = 0;
1404         u8 xoff_char = 0;
1405         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1406
1407         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1408                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1409                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1410
1411         if (!cr)
1412                 return 0;
1413
1414         if (len == 1) {
1415                 /* This is a request, return default settings */
1416                 bit_rate  = RFCOMM_RPN_BR_115200;
1417                 data_bits = RFCOMM_RPN_DATA_8;
1418                 stop_bits = RFCOMM_RPN_STOP_1;
1419                 parity    = RFCOMM_RPN_PARITY_NONE;
1420                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1421                 xon_char  = RFCOMM_RPN_XON_CHAR;
1422                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1423                 goto rpn_out;
1424         }
1425
1426         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1427          * no parity, no flow control lines, normal XON/XOFF chars */
1428
1429         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1430                 bit_rate = rpn->bit_rate;
1431                 if (bit_rate != RFCOMM_RPN_BR_115200) {
1432                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1433                         bit_rate = RFCOMM_RPN_BR_115200;
1434                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1435                 }
1436         }
1437
1438         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1439                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1440                 if (data_bits != RFCOMM_RPN_DATA_8) {
1441                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1442                         data_bits = RFCOMM_RPN_DATA_8;
1443                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1444                 }
1445         }
1446
1447         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1448                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1449                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1450                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1451                         stop_bits = RFCOMM_RPN_STOP_1;
1452                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1453                 }
1454         }
1455
1456         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1457                 parity = __get_rpn_parity(rpn->line_settings);
1458                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1459                         BT_DBG("RPN parity mismatch 0x%x", parity);
1460                         parity = RFCOMM_RPN_PARITY_NONE;
1461                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1462                 }
1463         }
1464
1465         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1466                 flow_ctrl = rpn->flow_ctrl;
1467                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1468                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1469                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1470                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1471                 }
1472         }
1473
1474         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1475                 xon_char = rpn->xon_char;
1476                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1477                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1478                         xon_char = RFCOMM_RPN_XON_CHAR;
1479                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1480                 }
1481         }
1482
1483         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1484                 xoff_char = rpn->xoff_char;
1485                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1486                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1487                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1488                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1489                 }
1490         }
1491
1492 rpn_out:
1493         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1494                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1495
1496         return 0;
1497 }
1498
1499 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1500 {
1501         struct rfcomm_rls *rls = (void *) skb->data;
1502         u8 dlci = __get_dlci(rls->dlci);
1503
1504         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1505
1506         if (!cr)
1507                 return 0;
1508
1509         /* We should probably do something with this information here. But
1510          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1511          * mandatory to recognise and respond to RLS */
1512
1513         rfcomm_send_rls(s, 0, dlci, rls->status);
1514
1515         return 0;
1516 }
1517
1518 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1519 {
1520         struct rfcomm_msc *msc = (void *) skb->data;
1521         struct rfcomm_dlc *d;
1522         u8 dlci = __get_dlci(msc->dlci);
1523
1524         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1525
1526         d = rfcomm_dlc_get(s, dlci);
1527         if (!d)
1528                 return 0;
1529
1530         if (cr) {
1531                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1532                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1533                 else
1534                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1535
1536                 rfcomm_dlc_lock(d);
1537
1538                 d->remote_v24_sig = msc->v24_sig;
1539
1540                 if (d->modem_status)
1541                         d->modem_status(d, msc->v24_sig);
1542
1543                 rfcomm_dlc_unlock(d);
1544
1545                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1546
1547                 d->mscex |= RFCOMM_MSCEX_RX;
1548         } else
1549                 d->mscex |= RFCOMM_MSCEX_TX;
1550
1551         return 0;
1552 }
1553
1554 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1555 {
1556         struct rfcomm_mcc *mcc = (void *) skb->data;
1557         u8 type, cr, len;
1558
1559         cr   = __test_cr(mcc->type);
1560         type = __get_mcc_type(mcc->type);
1561         len  = __get_mcc_len(mcc->len);
1562
1563         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1564
1565         skb_pull(skb, 2);
1566
1567         switch (type) {
1568         case RFCOMM_PN:
1569                 rfcomm_recv_pn(s, cr, skb);
1570                 break;
1571
1572         case RFCOMM_RPN:
1573                 rfcomm_recv_rpn(s, cr, len, skb);
1574                 break;
1575
1576         case RFCOMM_RLS:
1577                 rfcomm_recv_rls(s, cr, skb);
1578                 break;
1579
1580         case RFCOMM_MSC:
1581                 rfcomm_recv_msc(s, cr, skb);
1582                 break;
1583
1584         case RFCOMM_FCOFF:
1585                 if (cr) {
1586                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1587                         rfcomm_send_fcoff(s, 0);
1588                 }
1589                 break;
1590
1591         case RFCOMM_FCON:
1592                 if (cr) {
1593                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1594                         rfcomm_send_fcon(s, 0);
1595                 }
1596                 break;
1597
1598         case RFCOMM_TEST:
1599                 if (cr)
1600                         rfcomm_send_test(s, 0, skb->data, skb->len);
1601                 break;
1602
1603         case RFCOMM_NSC:
1604                 break;
1605
1606         default:
1607                 BT_ERR("Unknown control type 0x%02x", type);
1608                 rfcomm_send_nsc(s, cr, type);
1609                 break;
1610         }
1611         return 0;
1612 }
1613
1614 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1615 {
1616         struct rfcomm_dlc *d;
1617
1618         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1619
1620         d = rfcomm_dlc_get(s, dlci);
1621         if (!d) {
1622                 rfcomm_send_dm(s, dlci);
1623                 goto drop;
1624         }
1625
1626         if (pf && d->cfc) {
1627                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1628
1629                 d->tx_credits += credits;
1630                 if (d->tx_credits)
1631                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1632         }
1633
1634         if (skb->len && d->state == BT_CONNECTED) {
1635                 rfcomm_dlc_lock(d);
1636                 d->rx_credits--;
1637                 d->data_ready(d, skb);
1638                 rfcomm_dlc_unlock(d);
1639                 return 0;
1640         }
1641
1642 drop:
1643         kfree_skb(skb);
1644         return 0;
1645 }
1646
1647 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1648 {
1649         struct rfcomm_hdr *hdr = (void *) skb->data;
1650         u8 type, dlci, fcs;
1651
1652         dlci = __get_dlci(hdr->addr);
1653         type = __get_type(hdr->ctrl);
1654
1655         /* Trim FCS */
1656         skb->len--; skb->tail--;
1657         fcs = *(u8 *)skb_tail_pointer(skb);
1658
1659         if (__check_fcs(skb->data, type, fcs)) {
1660                 BT_ERR("bad checksum in packet");
1661                 kfree_skb(skb);
1662                 return -EILSEQ;
1663         }
1664
1665         if (__test_ea(hdr->len))
1666                 skb_pull(skb, 3);
1667         else
1668                 skb_pull(skb, 4);
1669
1670         switch (type) {
1671         case RFCOMM_SABM:
1672                 if (__test_pf(hdr->ctrl))
1673                         rfcomm_recv_sabm(s, dlci);
1674                 break;
1675
1676         case RFCOMM_DISC:
1677                 if (__test_pf(hdr->ctrl))
1678                         rfcomm_recv_disc(s, dlci);
1679                 break;
1680
1681         case RFCOMM_UA:
1682                 if (__test_pf(hdr->ctrl))
1683                         rfcomm_recv_ua(s, dlci);
1684                 break;
1685
1686         case RFCOMM_DM:
1687                 rfcomm_recv_dm(s, dlci);
1688                 break;
1689
1690         case RFCOMM_UIH:
1691                 if (dlci)
1692                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1693
1694                 rfcomm_recv_mcc(s, skb);
1695                 break;
1696
1697         default:
1698                 BT_ERR("Unknown packet type 0x%02x\n", type);
1699                 break;
1700         }
1701         kfree_skb(skb);
1702         return 0;
1703 }
1704
1705 /* ---- Connection and data processing ---- */
1706
1707 static void rfcomm_process_connect(struct rfcomm_session *s)
1708 {
1709         struct rfcomm_dlc *d;
1710         struct list_head *p, *n;
1711
1712         BT_DBG("session %p state %ld", s, s->state);
1713
1714         list_for_each_safe(p, n, &s->dlcs) {
1715                 d = list_entry(p, struct rfcomm_dlc, list);
1716                 if (d->state == BT_CONFIG) {
1717                         d->mtu = s->mtu;
1718                         if (rfcomm_check_security(d)) {
1719                                 rfcomm_send_pn(s, 1, d);
1720                         } else {
1721                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1722                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1723                         }
1724                 }
1725         }
1726 }
1727
1728 /* Send data queued for the DLC.
1729  * Return number of frames left in the queue.
1730  */
1731 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1732 {
1733         struct sk_buff *skb;
1734         int err;
1735
1736         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1737                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1738
1739         /* Send pending MSC */
1740         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1741                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1742
1743         if (d->cfc) {
1744                 /* CFC enabled.
1745                  * Give them some credits */
1746                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1747                                 d->rx_credits <= (d->cfc >> 2)) {
1748                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1749                         d->rx_credits = d->cfc;
1750                 }
1751         } else {
1752                 /* CFC disabled.
1753                  * Give ourselves some credits */
1754                 d->tx_credits = 5;
1755         }
1756
1757         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1758                 return skb_queue_len(&d->tx_queue);
1759
1760         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1761                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1762                 if (err < 0) {
1763                         skb_queue_head(&d->tx_queue, skb);
1764                         break;
1765                 }
1766                 kfree_skb(skb);
1767                 d->tx_credits--;
1768         }
1769
1770         if (d->cfc && !d->tx_credits) {
1771                 /* We're out of TX credits.
1772                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1773                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1774         }
1775
1776         return skb_queue_len(&d->tx_queue);
1777 }
1778
1779 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1780 {
1781         struct rfcomm_dlc *d;
1782         struct list_head *p, *n;
1783
1784         BT_DBG("session %p state %ld", s, s->state);
1785
1786         list_for_each_safe(p, n, &s->dlcs) {
1787                 d = list_entry(p, struct rfcomm_dlc, list);
1788
1789                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1790                         __rfcomm_dlc_close(d, ETIMEDOUT);
1791                         continue;
1792                 }
1793
1794                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1795                         rfcomm_dlc_clear_timer(d);
1796                         if (d->out) {
1797                                 rfcomm_send_pn(s, 1, d);
1798                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1799                         } else {
1800                                 if (d->defer_setup) {
1801                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1802                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1803
1804                                         rfcomm_dlc_lock(d);
1805                                         d->state = BT_CONNECT2;
1806                                         d->state_change(d, 0);
1807                                         rfcomm_dlc_unlock(d);
1808                                 } else
1809                                         rfcomm_dlc_accept(d);
1810                         }
1811                         continue;
1812                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1813                         rfcomm_dlc_clear_timer(d);
1814                         if (!d->out)
1815                                 rfcomm_send_dm(s, d->dlci);
1816                         else
1817                                 d->state = BT_CLOSED;
1818                         __rfcomm_dlc_close(d, ECONNREFUSED);
1819                         continue;
1820                 }
1821
1822                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1823                         continue;
1824
1825                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1826                         continue;
1827
1828                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1829                                                 d->mscex == RFCOMM_MSCEX_OK)
1830                         rfcomm_process_tx(d);
1831         }
1832 }
1833
1834 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1835 {
1836         struct socket *sock = s->sock;
1837         struct sock *sk = sock->sk;
1838         struct sk_buff *skb;
1839
1840         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1841
1842         /* Get data directly from socket receive queue without copying it. */
1843         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1844                 skb_orphan(skb);
1845                 rfcomm_recv_frame(s, skb);
1846         }
1847
1848         if (sk->sk_state == BT_CLOSED) {
1849                 if (!s->initiator)
1850                         rfcomm_session_put(s);
1851
1852                 rfcomm_session_close(s, sk->sk_err);
1853         }
1854 }
1855
1856 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1857 {
1858         struct socket *sock = s->sock, *nsock;
1859         int err;
1860
1861         /* Fast check for a new connection.
1862          * Avoids unnesesary socket allocations. */
1863         if (list_empty(&bt_sk(sock->sk)->accept_q))
1864                 return;
1865
1866         BT_DBG("session %p", s);
1867
1868         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1869         if (err < 0)
1870                 return;
1871
1872         /* Set our callbacks */
1873         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1874         nsock->sk->sk_state_change = rfcomm_l2state_change;
1875
1876         s = rfcomm_session_add(nsock, BT_OPEN);
1877         if (s) {
1878                 rfcomm_session_hold(s);
1879
1880                 /* We should adjust MTU on incoming sessions.
1881                  * L2CAP MTU minus UIH header and FCS. */
1882                 s->mtu = min(l2cap_pi(nsock->sk)->omtu, l2cap_pi(nsock->sk)->imtu) - 5;
1883
1884                 rfcomm_schedule(RFCOMM_SCHED_RX);
1885         } else
1886                 sock_release(nsock);
1887 }
1888
1889 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1890 {
1891         struct sock *sk = s->sock->sk;
1892
1893         BT_DBG("%p state %ld", s, s->state);
1894
1895         switch(sk->sk_state) {
1896         case BT_CONNECTED:
1897                 s->state = BT_CONNECT;
1898
1899                 /* We can adjust MTU on outgoing sessions.
1900                  * L2CAP MTU minus UIH header and FCS. */
1901                 s->mtu = min(l2cap_pi(sk)->omtu, l2cap_pi(sk)->imtu) - 5;
1902
1903                 rfcomm_send_sabm(s, 0);
1904                 break;
1905
1906         case BT_CLOSED:
1907                 s->state = BT_CLOSED;
1908                 rfcomm_session_close(s, sk->sk_err);
1909                 break;
1910         }
1911 }
1912
1913 static inline void rfcomm_process_sessions(void)
1914 {
1915         struct list_head *p, *n;
1916
1917         rfcomm_lock();
1918
1919         list_for_each_safe(p, n, &session_list) {
1920                 struct rfcomm_session *s;
1921                 s = list_entry(p, struct rfcomm_session, list);
1922
1923                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1924                         s->state = BT_DISCONN;
1925                         rfcomm_send_disc(s, 0);
1926                         rfcomm_session_put(s);
1927                         continue;
1928                 }
1929
1930                 if (s->state == BT_LISTEN) {
1931                         rfcomm_accept_connection(s);
1932                         continue;
1933                 }
1934
1935                 rfcomm_session_hold(s);
1936
1937                 switch (s->state) {
1938                 case BT_BOUND:
1939                         rfcomm_check_connection(s);
1940                         break;
1941
1942                 default:
1943                         rfcomm_process_rx(s);
1944                         break;
1945                 }
1946
1947                 rfcomm_process_dlcs(s);
1948
1949                 rfcomm_session_put(s);
1950         }
1951
1952         rfcomm_unlock();
1953 }
1954
1955 static int rfcomm_add_listener(bdaddr_t *ba)
1956 {
1957         struct sockaddr_l2 addr;
1958         struct socket *sock;
1959         struct sock *sk;
1960         struct rfcomm_session *s;
1961         int    err = 0;
1962
1963         /* Create socket */
1964         err = rfcomm_l2sock_create(&sock);
1965         if (err < 0) {
1966                 BT_ERR("Create socket failed %d", err);
1967                 return err;
1968         }
1969
1970         /* Bind socket */
1971         bacpy(&addr.l2_bdaddr, ba);
1972         addr.l2_family = AF_BLUETOOTH;
1973         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
1974         addr.l2_cid    = 0;
1975         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1976         if (err < 0) {
1977                 BT_ERR("Bind failed %d", err);
1978                 goto failed;
1979         }
1980
1981         /* Set L2CAP options */
1982         sk = sock->sk;
1983         lock_sock(sk);
1984         l2cap_pi(sk)->imtu = l2cap_mtu;
1985         release_sock(sk);
1986
1987         /* Start listening on the socket */
1988         err = kernel_listen(sock, 10);
1989         if (err) {
1990                 BT_ERR("Listen failed %d", err);
1991                 goto failed;
1992         }
1993
1994         /* Add listening session */
1995         s = rfcomm_session_add(sock, BT_LISTEN);
1996         if (!s)
1997                 goto failed;
1998
1999         rfcomm_session_hold(s);
2000         return 0;
2001 failed:
2002         sock_release(sock);
2003         return err;
2004 }
2005
2006 static void rfcomm_kill_listener(void)
2007 {
2008         struct rfcomm_session *s;
2009         struct list_head *p, *n;
2010
2011         BT_DBG("");
2012
2013         list_for_each_safe(p, n, &session_list) {
2014                 s = list_entry(p, struct rfcomm_session, list);
2015                 rfcomm_session_del(s);
2016         }
2017 }
2018
2019 static int rfcomm_run(void *unused)
2020 {
2021         BT_DBG("");
2022
2023         set_user_nice(current, -10);
2024
2025         rfcomm_add_listener(BDADDR_ANY);
2026
2027         while (!kthread_should_stop()) {
2028                 set_current_state(TASK_INTERRUPTIBLE);
2029                 if (!test_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event)) {
2030                         /* No pending events. Let's sleep.
2031                          * Incoming connections and data will wake us up. */
2032                         schedule();
2033                 }
2034                 set_current_state(TASK_RUNNING);
2035
2036                 /* Process stuff */
2037                 clear_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
2038                 rfcomm_process_sessions();
2039         }
2040
2041         rfcomm_kill_listener();
2042
2043         return 0;
2044 }
2045
2046 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2047 {
2048         struct rfcomm_session *s;
2049         struct rfcomm_dlc *d;
2050         struct list_head *p, *n;
2051
2052         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2053
2054         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2055         if (!s)
2056                 return;
2057
2058         rfcomm_session_hold(s);
2059
2060         list_for_each_safe(p, n, &s->dlcs) {
2061                 d = list_entry(p, struct rfcomm_dlc, list);
2062
2063                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2064                         rfcomm_dlc_clear_timer(d);
2065                         if (status || encrypt == 0x00) {
2066                                 __rfcomm_dlc_close(d, ECONNREFUSED);
2067                                 continue;
2068                         }
2069                 }
2070
2071                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2072                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2073                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2074                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2075                                 continue;
2076                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2077                                 __rfcomm_dlc_close(d, ECONNREFUSED);
2078                                 continue;
2079                         }
2080                 }
2081
2082                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2083                         continue;
2084
2085                 if (!status)
2086                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2087                 else
2088                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2089         }
2090
2091         rfcomm_session_put(s);
2092
2093         rfcomm_schedule(RFCOMM_SCHED_AUTH);
2094 }
2095
2096 static struct hci_cb rfcomm_cb = {
2097         .name           = "RFCOMM",
2098         .security_cfm   = rfcomm_security_cfm
2099 };
2100
2101 static ssize_t rfcomm_dlc_sysfs_show(struct class *dev,
2102                                      struct class_attribute *attr,
2103                                      char *buf)
2104 {
2105         struct rfcomm_session *s;
2106         struct list_head *pp, *p;
2107         char *str = buf;
2108         int size = PAGE_SIZE;
2109
2110         rfcomm_lock();
2111
2112         list_for_each(p, &session_list) {
2113                 s = list_entry(p, struct rfcomm_session, list);
2114                 list_for_each(pp, &s->dlcs) {
2115                         struct sock *sk = s->sock->sk;
2116                         struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
2117                         int len;
2118
2119                         len = snprintf(str, size, "%s %s %ld %d %d %d %d\n",
2120                                         batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
2121                                         d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits);
2122
2123                         size -= len;
2124                         if (size <= 0)
2125                                 break;
2126
2127                         str += len;
2128                 }
2129
2130                 if (size <= 0)
2131                         break;
2132         }
2133
2134         rfcomm_unlock();
2135
2136         return (str - buf);
2137 }
2138
2139 static CLASS_ATTR(rfcomm_dlc, S_IRUGO, rfcomm_dlc_sysfs_show, NULL);
2140
2141 /* ---- Initialization ---- */
2142 static int __init rfcomm_init(void)
2143 {
2144         int err;
2145
2146         l2cap_load();
2147
2148         hci_register_cb(&rfcomm_cb);
2149
2150         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2151         if (IS_ERR(rfcomm_thread)) {
2152                 err = PTR_ERR(rfcomm_thread);
2153                 goto unregister;
2154         }
2155
2156         if (class_create_file(bt_class, &class_attr_rfcomm_dlc) < 0)
2157                 BT_ERR("Failed to create RFCOMM info file");
2158
2159         err = rfcomm_init_ttys();
2160         if (err < 0)
2161                 goto stop;
2162
2163         err = rfcomm_init_sockets();
2164         if (err < 0)
2165                 goto cleanup;
2166
2167         BT_INFO("RFCOMM ver %s", VERSION);
2168
2169         return 0;
2170
2171 cleanup:
2172         rfcomm_cleanup_ttys();
2173
2174 stop:
2175         kthread_stop(rfcomm_thread);
2176
2177 unregister:
2178         hci_unregister_cb(&rfcomm_cb);
2179
2180         return err;
2181 }
2182
2183 static void __exit rfcomm_exit(void)
2184 {
2185         class_remove_file(bt_class, &class_attr_rfcomm_dlc);
2186
2187         hci_unregister_cb(&rfcomm_cb);
2188
2189         kthread_stop(rfcomm_thread);
2190
2191         rfcomm_cleanup_ttys();
2192
2193         rfcomm_cleanup_sockets();
2194 }
2195
2196 module_init(rfcomm_init);
2197 module_exit(rfcomm_exit);
2198
2199 module_param(disable_cfc, bool, 0644);
2200 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2201
2202 module_param(channel_mtu, int, 0644);
2203 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2204
2205 module_param(l2cap_mtu, uint, 0644);
2206 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2207
2208 module_param(l2cap_ertm, bool, 0644);
2209 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2210
2211 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2212 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2213 MODULE_VERSION(VERSION);
2214 MODULE_LICENSE("GPL");
2215 MODULE_ALIAS("bt-proto-3");