fb1d83ddc5ab5f78dc0f67fc638707619f800cb9
[linux-3.10.git] / net / bluetooth / rfcomm / core.c
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25  * Bluetooth RFCOMM core.
26  */
27
28 #include <linux/module.h>
29 #include <linux/debugfs.h>
30 #include <linux/kthread.h>
31 #include <asm/unaligned.h>
32
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35 #include <net/bluetooth/l2cap.h>
36 #include <net/bluetooth/rfcomm.h>
37
38 #define VERSION "1.11"
39
40 static bool disable_cfc;
41 static bool l2cap_ertm;
42 static int channel_mtu = -1;
43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44
45 static struct task_struct *rfcomm_thread;
46
47 static DEFINE_MUTEX(rfcomm_mutex);
48 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
49 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
50
51
52 static LIST_HEAD(session_list);
53
54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64
65 static void rfcomm_process_connect(struct rfcomm_session *s);
66
67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68                                                         bdaddr_t *dst,
69                                                         u8 sec_level,
70                                                         int *err);
71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
72 static void rfcomm_session_del(struct rfcomm_session *s);
73
74 /* ---- RFCOMM frame parsing macros ---- */
75 #define __get_dlci(b)     ((b & 0xfc) >> 2)
76 #define __get_channel(b)  ((b & 0xf8) >> 3)
77 #define __get_dir(b)      ((b & 0x04) >> 2)
78 #define __get_type(b)     ((b & 0xef))
79
80 #define __test_ea(b)      ((b & 0x01))
81 #define __test_cr(b)      ((b & 0x02))
82 #define __test_pf(b)      ((b & 0x10))
83
84 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
85 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
86 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
87 #define __srv_channel(dlci)    (dlci >> 1)
88 #define __dir(dlci)            (dlci & 0x01)
89
90 #define __len8(len)       (((len) << 1) | 1)
91 #define __len16(len)      ((len) << 1)
92
93 /* MCC macros */
94 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
95 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
96 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
97
98 /* RPN macros */
99 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
100 #define __get_rpn_data_bits(line) ((line) & 0x3)
101 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
102 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
103
104 static void rfcomm_schedule(void)
105 {
106         if (!rfcomm_thread)
107                 return;
108         wake_up_process(rfcomm_thread);
109 }
110
111 static void rfcomm_session_put(struct rfcomm_session *s)
112 {
113         if (atomic_dec_and_test(&s->refcnt))
114                 rfcomm_session_del(s);
115 }
116
117 /* ---- RFCOMM FCS computation ---- */
118
119 /* reversed, 8-bit, poly=0x07 */
120 static unsigned char rfcomm_crc_table[256] = {
121         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
122         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
123         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
124         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
125
126         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
127         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
128         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
129         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
130
131         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
132         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
133         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
134         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
135
136         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
137         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
138         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
139         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
140
141         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
142         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
143         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
144         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
145
146         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
147         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
148         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
149         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
150
151         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
152         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
153         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
154         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
155
156         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
157         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
158         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
159         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
160 };
161
162 /* CRC on 2 bytes */
163 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
164
165 /* FCS on 2 bytes */
166 static inline u8 __fcs(u8 *data)
167 {
168         return 0xff - __crc(data);
169 }
170
171 /* FCS on 3 bytes */
172 static inline u8 __fcs2(u8 *data)
173 {
174         return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
175 }
176
177 /* Check FCS */
178 static inline int __check_fcs(u8 *data, int type, u8 fcs)
179 {
180         u8 f = __crc(data);
181
182         if (type != RFCOMM_UIH)
183                 f = rfcomm_crc_table[f ^ data[2]];
184
185         return rfcomm_crc_table[f ^ fcs] != 0xcf;
186 }
187
188 /* ---- L2CAP callbacks ---- */
189 static void rfcomm_l2state_change(struct sock *sk)
190 {
191         BT_DBG("%p state %d", sk, sk->sk_state);
192         rfcomm_schedule();
193 }
194
195 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
196 {
197         BT_DBG("%p bytes %d", sk, bytes);
198         rfcomm_schedule();
199 }
200
201 static int rfcomm_l2sock_create(struct socket **sock)
202 {
203         int err;
204
205         BT_DBG("");
206
207         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
208         if (!err) {
209                 struct sock *sk = (*sock)->sk;
210                 sk->sk_data_ready   = rfcomm_l2data_ready;
211                 sk->sk_state_change = rfcomm_l2state_change;
212         }
213         return err;
214 }
215
216 static int rfcomm_check_security(struct rfcomm_dlc *d)
217 {
218         struct sock *sk = d->session->sock->sk;
219         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
220
221         __u8 auth_type;
222
223         switch (d->sec_level) {
224         case BT_SECURITY_HIGH:
225                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
226                 break;
227         case BT_SECURITY_MEDIUM:
228                 auth_type = HCI_AT_GENERAL_BONDING;
229                 break;
230         default:
231                 auth_type = HCI_AT_NO_BONDING;
232                 break;
233         }
234
235         return hci_conn_security(conn->hcon, d->sec_level, auth_type);
236 }
237
238 static void rfcomm_session_timeout(unsigned long arg)
239 {
240         struct rfcomm_session *s = (void *) arg;
241
242         BT_DBG("session %p state %ld", s, s->state);
243
244         set_bit(RFCOMM_TIMED_OUT, &s->flags);
245         rfcomm_schedule();
246 }
247
248 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
249 {
250         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
251
252         if (!mod_timer(&s->timer, jiffies + timeout))
253                 rfcomm_session_hold(s);
254 }
255
256 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
257 {
258         BT_DBG("session %p state %ld", s, s->state);
259
260         if (timer_pending(&s->timer) && del_timer(&s->timer))
261                 rfcomm_session_put(s);
262 }
263
264 /* ---- RFCOMM DLCs ---- */
265 static void rfcomm_dlc_timeout(unsigned long arg)
266 {
267         struct rfcomm_dlc *d = (void *) arg;
268
269         BT_DBG("dlc %p state %ld", d, d->state);
270
271         set_bit(RFCOMM_TIMED_OUT, &d->flags);
272         rfcomm_dlc_put(d);
273         rfcomm_schedule();
274 }
275
276 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
277 {
278         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
279
280         if (!mod_timer(&d->timer, jiffies + timeout))
281                 rfcomm_dlc_hold(d);
282 }
283
284 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
285 {
286         BT_DBG("dlc %p state %ld", d, d->state);
287
288         if (timer_pending(&d->timer) && del_timer(&d->timer))
289                 rfcomm_dlc_put(d);
290 }
291
292 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
293 {
294         BT_DBG("%p", d);
295
296         d->state      = BT_OPEN;
297         d->flags      = 0;
298         d->mscex      = 0;
299         d->sec_level  = BT_SECURITY_LOW;
300         d->mtu        = RFCOMM_DEFAULT_MTU;
301         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
302
303         d->cfc        = RFCOMM_CFC_DISABLED;
304         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
305 }
306
307 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
308 {
309         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
310
311         if (!d)
312                 return NULL;
313
314         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
315
316         skb_queue_head_init(&d->tx_queue);
317         spin_lock_init(&d->lock);
318         atomic_set(&d->refcnt, 1);
319
320         rfcomm_dlc_clear_state(d);
321
322         BT_DBG("%p", d);
323
324         return d;
325 }
326
327 void rfcomm_dlc_free(struct rfcomm_dlc *d)
328 {
329         BT_DBG("%p", d);
330
331         skb_queue_purge(&d->tx_queue);
332         kfree(d);
333 }
334
335 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
336 {
337         BT_DBG("dlc %p session %p", d, s);
338
339         rfcomm_session_hold(s);
340
341         rfcomm_session_clear_timer(s);
342         rfcomm_dlc_hold(d);
343         list_add(&d->list, &s->dlcs);
344         d->session = s;
345 }
346
347 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
348 {
349         struct rfcomm_session *s = d->session;
350
351         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
352
353         list_del(&d->list);
354         d->session = NULL;
355         rfcomm_dlc_put(d);
356
357         if (list_empty(&s->dlcs))
358                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
359
360         rfcomm_session_put(s);
361 }
362
363 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
364 {
365         struct rfcomm_dlc *d;
366
367         list_for_each_entry(d, &s->dlcs, list)
368                 if (d->dlci == dlci)
369                         return d;
370
371         return NULL;
372 }
373
374 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
375 {
376         struct rfcomm_session *s;
377         int err = 0;
378         u8 dlci;
379
380         BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
381                d, d->state, src, dst, channel);
382
383         if (channel < 1 || channel > 30)
384                 return -EINVAL;
385
386         if (d->state != BT_OPEN && d->state != BT_CLOSED)
387                 return 0;
388
389         s = rfcomm_session_get(src, dst);
390         if (!s) {
391                 s = rfcomm_session_create(src, dst, d->sec_level, &err);
392                 if (!s)
393                         return err;
394         }
395
396         dlci = __dlci(!s->initiator, channel);
397
398         /* Check if DLCI already exists */
399         if (rfcomm_dlc_get(s, dlci))
400                 return -EBUSY;
401
402         rfcomm_dlc_clear_state(d);
403
404         d->dlci     = dlci;
405         d->addr     = __addr(s->initiator, dlci);
406         d->priority = 7;
407
408         d->state = BT_CONFIG;
409         rfcomm_dlc_link(s, d);
410
411         d->out = 1;
412
413         d->mtu = s->mtu;
414         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
415
416         if (s->state == BT_CONNECTED) {
417                 if (rfcomm_check_security(d))
418                         rfcomm_send_pn(s, 1, d);
419                 else
420                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
421         }
422
423         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
424
425         return 0;
426 }
427
428 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
429 {
430         int r;
431
432         rfcomm_lock();
433
434         r = __rfcomm_dlc_open(d, src, dst, channel);
435
436         rfcomm_unlock();
437         return r;
438 }
439
440 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
441 {
442         struct rfcomm_session *s = d->session;
443         if (!s)
444                 return 0;
445
446         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
447                         d, d->state, d->dlci, err, s);
448
449         switch (d->state) {
450         case BT_CONNECT:
451         case BT_CONFIG:
452                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
453                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
454                         rfcomm_schedule();
455                         break;
456                 }
457                 /* Fall through */
458
459         case BT_CONNECTED:
460                 d->state = BT_DISCONN;
461                 if (skb_queue_empty(&d->tx_queue)) {
462                         rfcomm_send_disc(s, d->dlci);
463                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
464                 } else {
465                         rfcomm_queue_disc(d);
466                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
467                 }
468                 break;
469
470         case BT_OPEN:
471         case BT_CONNECT2:
472                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
473                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
474                         rfcomm_schedule();
475                         break;
476                 }
477                 /* Fall through */
478
479         default:
480                 rfcomm_dlc_clear_timer(d);
481
482                 rfcomm_dlc_lock(d);
483                 d->state = BT_CLOSED;
484                 d->state_change(d, err);
485                 rfcomm_dlc_unlock(d);
486
487                 skb_queue_purge(&d->tx_queue);
488                 rfcomm_dlc_unlink(d);
489         }
490
491         return 0;
492 }
493
494 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
495 {
496         int r;
497
498         rfcomm_lock();
499
500         r = __rfcomm_dlc_close(d, err);
501
502         rfcomm_unlock();
503         return r;
504 }
505
506 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
507 {
508         int len = skb->len;
509
510         if (d->state != BT_CONNECTED)
511                 return -ENOTCONN;
512
513         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
514
515         if (len > d->mtu)
516                 return -EINVAL;
517
518         rfcomm_make_uih(skb, d->addr);
519         skb_queue_tail(&d->tx_queue, skb);
520
521         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
522                 rfcomm_schedule();
523         return len;
524 }
525
526 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
527 {
528         BT_DBG("dlc %p state %ld", d, d->state);
529
530         if (!d->cfc) {
531                 d->v24_sig |= RFCOMM_V24_FC;
532                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
533         }
534         rfcomm_schedule();
535 }
536
537 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
538 {
539         BT_DBG("dlc %p state %ld", d, d->state);
540
541         if (!d->cfc) {
542                 d->v24_sig &= ~RFCOMM_V24_FC;
543                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
544         }
545         rfcomm_schedule();
546 }
547
548 /*
549    Set/get modem status functions use _local_ status i.e. what we report
550    to the other side.
551    Remote status is provided by dlc->modem_status() callback.
552  */
553 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
554 {
555         BT_DBG("dlc %p state %ld v24_sig 0x%x",
556                         d, d->state, v24_sig);
557
558         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
559                 v24_sig |= RFCOMM_V24_FC;
560         else
561                 v24_sig &= ~RFCOMM_V24_FC;
562
563         d->v24_sig = v24_sig;
564
565         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
566                 rfcomm_schedule();
567
568         return 0;
569 }
570
571 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
572 {
573         BT_DBG("dlc %p state %ld v24_sig 0x%x",
574                         d, d->state, d->v24_sig);
575
576         *v24_sig = d->v24_sig;
577         return 0;
578 }
579
580 /* ---- RFCOMM sessions ---- */
581 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
582 {
583         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
584
585         if (!s)
586                 return NULL;
587
588         BT_DBG("session %p sock %p", s, sock);
589
590         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
591
592         INIT_LIST_HEAD(&s->dlcs);
593         s->state = state;
594         s->sock  = sock;
595
596         s->mtu = RFCOMM_DEFAULT_MTU;
597         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
598
599         /* Do not increment module usage count for listening sessions.
600          * Otherwise we won't be able to unload the module. */
601         if (state != BT_LISTEN)
602                 if (!try_module_get(THIS_MODULE)) {
603                         kfree(s);
604                         return NULL;
605                 }
606
607         list_add(&s->list, &session_list);
608
609         return s;
610 }
611
612 static void rfcomm_session_del(struct rfcomm_session *s)
613 {
614         int state = s->state;
615
616         BT_DBG("session %p state %ld", s, s->state);
617
618         list_del(&s->list);
619
620         if (state == BT_CONNECTED)
621                 rfcomm_send_disc(s, 0);
622
623         rfcomm_session_clear_timer(s);
624         sock_release(s->sock);
625         kfree(s);
626
627         if (state != BT_LISTEN)
628                 module_put(THIS_MODULE);
629 }
630
631 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
632 {
633         struct rfcomm_session *s;
634         struct list_head *p, *n;
635         struct bt_sock *sk;
636         list_for_each_safe(p, n, &session_list) {
637                 s = list_entry(p, struct rfcomm_session, list);
638                 sk = bt_sk(s->sock->sk);
639
640                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
641                                 !bacmp(&sk->dst, dst))
642                         return s;
643         }
644         return NULL;
645 }
646
647 static void rfcomm_session_close(struct rfcomm_session *s, int err)
648 {
649         struct rfcomm_dlc *d;
650         struct list_head *p, *n;
651
652         BT_DBG("session %p state %ld err %d", s, s->state, err);
653
654         rfcomm_session_hold(s);
655
656         s->state = BT_CLOSED;
657
658         /* Close all dlcs */
659         list_for_each_safe(p, n, &s->dlcs) {
660                 d = list_entry(p, struct rfcomm_dlc, list);
661                 d->state = BT_CLOSED;
662                 __rfcomm_dlc_close(d, err);
663         }
664
665         rfcomm_session_clear_timer(s);
666         rfcomm_session_put(s);
667 }
668
669 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
670                                                         bdaddr_t *dst,
671                                                         u8 sec_level,
672                                                         int *err)
673 {
674         struct rfcomm_session *s = NULL;
675         struct sockaddr_l2 addr;
676         struct socket *sock;
677         struct sock *sk;
678
679         BT_DBG("%pMR -> %pMR", src, dst);
680
681         *err = rfcomm_l2sock_create(&sock);
682         if (*err < 0)
683                 return NULL;
684
685         bacpy(&addr.l2_bdaddr, src);
686         addr.l2_family = AF_BLUETOOTH;
687         addr.l2_psm    = 0;
688         addr.l2_cid    = 0;
689         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
690         if (*err < 0)
691                 goto failed;
692
693         /* Set L2CAP options */
694         sk = sock->sk;
695         lock_sock(sk);
696         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
697         l2cap_pi(sk)->chan->sec_level = sec_level;
698         if (l2cap_ertm)
699                 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
700         release_sock(sk);
701
702         s = rfcomm_session_add(sock, BT_BOUND);
703         if (!s) {
704                 *err = -ENOMEM;
705                 goto failed;
706         }
707
708         s->initiator = 1;
709
710         bacpy(&addr.l2_bdaddr, dst);
711         addr.l2_family = AF_BLUETOOTH;
712         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
713         addr.l2_cid    = 0;
714         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
715         if (*err == 0 || *err == -EINPROGRESS)
716                 return s;
717
718         rfcomm_session_del(s);
719         return NULL;
720
721 failed:
722         sock_release(sock);
723         return NULL;
724 }
725
726 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
727 {
728         struct sock *sk = s->sock->sk;
729         if (src)
730                 bacpy(src, &bt_sk(sk)->src);
731         if (dst)
732                 bacpy(dst, &bt_sk(sk)->dst);
733 }
734
735 /* ---- RFCOMM frame sending ---- */
736 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
737 {
738         struct kvec iv = { data, len };
739         struct msghdr msg;
740
741         BT_DBG("session %p len %d", s, len);
742
743         memset(&msg, 0, sizeof(msg));
744
745         return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
746 }
747
748 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
749 {
750         BT_DBG("%p cmd %u", s, cmd->ctrl);
751
752         return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
753 }
754
755 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
756 {
757         struct rfcomm_cmd cmd;
758
759         BT_DBG("%p dlci %d", s, dlci);
760
761         cmd.addr = __addr(s->initiator, dlci);
762         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
763         cmd.len  = __len8(0);
764         cmd.fcs  = __fcs2((u8 *) &cmd);
765
766         return rfcomm_send_cmd(s, &cmd);
767 }
768
769 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
770 {
771         struct rfcomm_cmd cmd;
772
773         BT_DBG("%p dlci %d", s, dlci);
774
775         cmd.addr = __addr(!s->initiator, dlci);
776         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
777         cmd.len  = __len8(0);
778         cmd.fcs  = __fcs2((u8 *) &cmd);
779
780         return rfcomm_send_cmd(s, &cmd);
781 }
782
783 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
784 {
785         struct rfcomm_cmd cmd;
786
787         BT_DBG("%p dlci %d", s, dlci);
788
789         cmd.addr = __addr(s->initiator, dlci);
790         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
791         cmd.len  = __len8(0);
792         cmd.fcs  = __fcs2((u8 *) &cmd);
793
794         return rfcomm_send_cmd(s, &cmd);
795 }
796
797 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
798 {
799         struct rfcomm_cmd *cmd;
800         struct sk_buff *skb;
801
802         BT_DBG("dlc %p dlci %d", d, d->dlci);
803
804         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
805         if (!skb)
806                 return -ENOMEM;
807
808         cmd = (void *) __skb_put(skb, sizeof(*cmd));
809         cmd->addr = d->addr;
810         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
811         cmd->len  = __len8(0);
812         cmd->fcs  = __fcs2((u8 *) cmd);
813
814         skb_queue_tail(&d->tx_queue, skb);
815         rfcomm_schedule();
816         return 0;
817 }
818
819 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
820 {
821         struct rfcomm_cmd cmd;
822
823         BT_DBG("%p dlci %d", s, dlci);
824
825         cmd.addr = __addr(!s->initiator, dlci);
826         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
827         cmd.len  = __len8(0);
828         cmd.fcs  = __fcs2((u8 *) &cmd);
829
830         return rfcomm_send_cmd(s, &cmd);
831 }
832
833 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
834 {
835         struct rfcomm_hdr *hdr;
836         struct rfcomm_mcc *mcc;
837         u8 buf[16], *ptr = buf;
838
839         BT_DBG("%p cr %d type %d", s, cr, type);
840
841         hdr = (void *) ptr; ptr += sizeof(*hdr);
842         hdr->addr = __addr(s->initiator, 0);
843         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
844         hdr->len  = __len8(sizeof(*mcc) + 1);
845
846         mcc = (void *) ptr; ptr += sizeof(*mcc);
847         mcc->type = __mcc_type(cr, RFCOMM_NSC);
848         mcc->len  = __len8(1);
849
850         /* Type that we didn't like */
851         *ptr = __mcc_type(cr, type); ptr++;
852
853         *ptr = __fcs(buf); ptr++;
854
855         return rfcomm_send_frame(s, buf, ptr - buf);
856 }
857
858 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
859 {
860         struct rfcomm_hdr *hdr;
861         struct rfcomm_mcc *mcc;
862         struct rfcomm_pn  *pn;
863         u8 buf[16], *ptr = buf;
864
865         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
866
867         hdr = (void *) ptr; ptr += sizeof(*hdr);
868         hdr->addr = __addr(s->initiator, 0);
869         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
870         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
871
872         mcc = (void *) ptr; ptr += sizeof(*mcc);
873         mcc->type = __mcc_type(cr, RFCOMM_PN);
874         mcc->len  = __len8(sizeof(*pn));
875
876         pn = (void *) ptr; ptr += sizeof(*pn);
877         pn->dlci        = d->dlci;
878         pn->priority    = d->priority;
879         pn->ack_timer   = 0;
880         pn->max_retrans = 0;
881
882         if (s->cfc) {
883                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
884                 pn->credits = RFCOMM_DEFAULT_CREDITS;
885         } else {
886                 pn->flow_ctrl = 0;
887                 pn->credits   = 0;
888         }
889
890         if (cr && channel_mtu >= 0)
891                 pn->mtu = cpu_to_le16(channel_mtu);
892         else
893                 pn->mtu = cpu_to_le16(d->mtu);
894
895         *ptr = __fcs(buf); ptr++;
896
897         return rfcomm_send_frame(s, buf, ptr - buf);
898 }
899
900 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
901                         u8 bit_rate, u8 data_bits, u8 stop_bits,
902                         u8 parity, u8 flow_ctrl_settings,
903                         u8 xon_char, u8 xoff_char, u16 param_mask)
904 {
905         struct rfcomm_hdr *hdr;
906         struct rfcomm_mcc *mcc;
907         struct rfcomm_rpn *rpn;
908         u8 buf[16], *ptr = buf;
909
910         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
911                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
912                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
913                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
914
915         hdr = (void *) ptr; ptr += sizeof(*hdr);
916         hdr->addr = __addr(s->initiator, 0);
917         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
918         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
919
920         mcc = (void *) ptr; ptr += sizeof(*mcc);
921         mcc->type = __mcc_type(cr, RFCOMM_RPN);
922         mcc->len  = __len8(sizeof(*rpn));
923
924         rpn = (void *) ptr; ptr += sizeof(*rpn);
925         rpn->dlci          = __addr(1, dlci);
926         rpn->bit_rate      = bit_rate;
927         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
928         rpn->flow_ctrl     = flow_ctrl_settings;
929         rpn->xon_char      = xon_char;
930         rpn->xoff_char     = xoff_char;
931         rpn->param_mask    = cpu_to_le16(param_mask);
932
933         *ptr = __fcs(buf); ptr++;
934
935         return rfcomm_send_frame(s, buf, ptr - buf);
936 }
937
938 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
939 {
940         struct rfcomm_hdr *hdr;
941         struct rfcomm_mcc *mcc;
942         struct rfcomm_rls *rls;
943         u8 buf[16], *ptr = buf;
944
945         BT_DBG("%p cr %d status 0x%x", s, cr, status);
946
947         hdr = (void *) ptr; ptr += sizeof(*hdr);
948         hdr->addr = __addr(s->initiator, 0);
949         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
950         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
951
952         mcc = (void *) ptr; ptr += sizeof(*mcc);
953         mcc->type = __mcc_type(cr, RFCOMM_RLS);
954         mcc->len  = __len8(sizeof(*rls));
955
956         rls = (void *) ptr; ptr += sizeof(*rls);
957         rls->dlci   = __addr(1, dlci);
958         rls->status = status;
959
960         *ptr = __fcs(buf); ptr++;
961
962         return rfcomm_send_frame(s, buf, ptr - buf);
963 }
964
965 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
966 {
967         struct rfcomm_hdr *hdr;
968         struct rfcomm_mcc *mcc;
969         struct rfcomm_msc *msc;
970         u8 buf[16], *ptr = buf;
971
972         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
973
974         hdr = (void *) ptr; ptr += sizeof(*hdr);
975         hdr->addr = __addr(s->initiator, 0);
976         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
977         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
978
979         mcc = (void *) ptr; ptr += sizeof(*mcc);
980         mcc->type = __mcc_type(cr, RFCOMM_MSC);
981         mcc->len  = __len8(sizeof(*msc));
982
983         msc = (void *) ptr; ptr += sizeof(*msc);
984         msc->dlci    = __addr(1, dlci);
985         msc->v24_sig = v24_sig | 0x01;
986
987         *ptr = __fcs(buf); ptr++;
988
989         return rfcomm_send_frame(s, buf, ptr - buf);
990 }
991
992 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
993 {
994         struct rfcomm_hdr *hdr;
995         struct rfcomm_mcc *mcc;
996         u8 buf[16], *ptr = buf;
997
998         BT_DBG("%p cr %d", s, cr);
999
1000         hdr = (void *) ptr; ptr += sizeof(*hdr);
1001         hdr->addr = __addr(s->initiator, 0);
1002         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1003         hdr->len  = __len8(sizeof(*mcc));
1004
1005         mcc = (void *) ptr; ptr += sizeof(*mcc);
1006         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1007         mcc->len  = __len8(0);
1008
1009         *ptr = __fcs(buf); ptr++;
1010
1011         return rfcomm_send_frame(s, buf, ptr - buf);
1012 }
1013
1014 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1015 {
1016         struct rfcomm_hdr *hdr;
1017         struct rfcomm_mcc *mcc;
1018         u8 buf[16], *ptr = buf;
1019
1020         BT_DBG("%p cr %d", s, cr);
1021
1022         hdr = (void *) ptr; ptr += sizeof(*hdr);
1023         hdr->addr = __addr(s->initiator, 0);
1024         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1025         hdr->len  = __len8(sizeof(*mcc));
1026
1027         mcc = (void *) ptr; ptr += sizeof(*mcc);
1028         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1029         mcc->len  = __len8(0);
1030
1031         *ptr = __fcs(buf); ptr++;
1032
1033         return rfcomm_send_frame(s, buf, ptr - buf);
1034 }
1035
1036 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1037 {
1038         struct socket *sock = s->sock;
1039         struct kvec iv[3];
1040         struct msghdr msg;
1041         unsigned char hdr[5], crc[1];
1042
1043         if (len > 125)
1044                 return -EINVAL;
1045
1046         BT_DBG("%p cr %d", s, cr);
1047
1048         hdr[0] = __addr(s->initiator, 0);
1049         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1050         hdr[2] = 0x01 | ((len + 2) << 1);
1051         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1052         hdr[4] = 0x01 | (len << 1);
1053
1054         crc[0] = __fcs(hdr);
1055
1056         iv[0].iov_base = hdr;
1057         iv[0].iov_len  = 5;
1058         iv[1].iov_base = pattern;
1059         iv[1].iov_len  = len;
1060         iv[2].iov_base = crc;
1061         iv[2].iov_len  = 1;
1062
1063         memset(&msg, 0, sizeof(msg));
1064
1065         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1066 }
1067
1068 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1069 {
1070         struct rfcomm_hdr *hdr;
1071         u8 buf[16], *ptr = buf;
1072
1073         BT_DBG("%p addr %d credits %d", s, addr, credits);
1074
1075         hdr = (void *) ptr; ptr += sizeof(*hdr);
1076         hdr->addr = addr;
1077         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1078         hdr->len  = __len8(0);
1079
1080         *ptr = credits; ptr++;
1081
1082         *ptr = __fcs(buf); ptr++;
1083
1084         return rfcomm_send_frame(s, buf, ptr - buf);
1085 }
1086
1087 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1088 {
1089         struct rfcomm_hdr *hdr;
1090         int len = skb->len;
1091         u8 *crc;
1092
1093         if (len > 127) {
1094                 hdr = (void *) skb_push(skb, 4);
1095                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1096         } else {
1097                 hdr = (void *) skb_push(skb, 3);
1098                 hdr->len = __len8(len);
1099         }
1100         hdr->addr = addr;
1101         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1102
1103         crc = skb_put(skb, 1);
1104         *crc = __fcs((void *) hdr);
1105 }
1106
1107 /* ---- RFCOMM frame reception ---- */
1108 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1109 {
1110         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1111
1112         if (dlci) {
1113                 /* Data channel */
1114                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1115                 if (!d) {
1116                         rfcomm_send_dm(s, dlci);
1117                         return 0;
1118                 }
1119
1120                 switch (d->state) {
1121                 case BT_CONNECT:
1122                         rfcomm_dlc_clear_timer(d);
1123
1124                         rfcomm_dlc_lock(d);
1125                         d->state = BT_CONNECTED;
1126                         d->state_change(d, 0);
1127                         rfcomm_dlc_unlock(d);
1128
1129                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1130                         break;
1131
1132                 case BT_DISCONN:
1133                         d->state = BT_CLOSED;
1134                         __rfcomm_dlc_close(d, 0);
1135
1136                         if (list_empty(&s->dlcs)) {
1137                                 s->state = BT_DISCONN;
1138                                 rfcomm_send_disc(s, 0);
1139                                 rfcomm_session_clear_timer(s);
1140                         }
1141
1142                         break;
1143                 }
1144         } else {
1145                 /* Control channel */
1146                 switch (s->state) {
1147                 case BT_CONNECT:
1148                         s->state = BT_CONNECTED;
1149                         rfcomm_process_connect(s);
1150                         break;
1151
1152                 case BT_DISCONN:
1153                         /* rfcomm_session_put is called later so don't do
1154                          * anything here otherwise we will mess up the session
1155                          * reference counter:
1156                          *
1157                          * (a) when we are the initiator dlc_unlink will drive
1158                          * the reference counter to 0 (there is no initial put
1159                          * after session_add)
1160                          *
1161                          * (b) when we are not the initiator rfcomm_rx_process
1162                          * will explicitly call put to balance the initial hold
1163                          * done after session add.
1164                          */
1165                         break;
1166                 }
1167         }
1168         return 0;
1169 }
1170
1171 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1172 {
1173         int err = 0;
1174
1175         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1176
1177         if (dlci) {
1178                 /* Data DLC */
1179                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1180                 if (d) {
1181                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1182                                 err = ECONNREFUSED;
1183                         else
1184                                 err = ECONNRESET;
1185
1186                         d->state = BT_CLOSED;
1187                         __rfcomm_dlc_close(d, err);
1188                 }
1189         } else {
1190                 if (s->state == BT_CONNECT)
1191                         err = ECONNREFUSED;
1192                 else
1193                         err = ECONNRESET;
1194
1195                 s->state = BT_CLOSED;
1196                 rfcomm_session_close(s, err);
1197         }
1198         return 0;
1199 }
1200
1201 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1202 {
1203         int err = 0;
1204
1205         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1206
1207         if (dlci) {
1208                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1209                 if (d) {
1210                         rfcomm_send_ua(s, dlci);
1211
1212                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1213                                 err = ECONNREFUSED;
1214                         else
1215                                 err = ECONNRESET;
1216
1217                         d->state = BT_CLOSED;
1218                         __rfcomm_dlc_close(d, err);
1219                 } else
1220                         rfcomm_send_dm(s, dlci);
1221
1222         } else {
1223                 rfcomm_send_ua(s, 0);
1224
1225                 if (s->state == BT_CONNECT)
1226                         err = ECONNREFUSED;
1227                 else
1228                         err = ECONNRESET;
1229
1230                 s->state = BT_CLOSED;
1231                 rfcomm_session_close(s, err);
1232         }
1233
1234         return 0;
1235 }
1236
1237 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1238 {
1239         struct sock *sk = d->session->sock->sk;
1240         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1241
1242         BT_DBG("dlc %p", d);
1243
1244         rfcomm_send_ua(d->session, d->dlci);
1245
1246         rfcomm_dlc_clear_timer(d);
1247
1248         rfcomm_dlc_lock(d);
1249         d->state = BT_CONNECTED;
1250         d->state_change(d, 0);
1251         rfcomm_dlc_unlock(d);
1252
1253         if (d->role_switch)
1254                 hci_conn_switch_role(conn->hcon, 0x00);
1255
1256         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1257 }
1258
1259 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1260 {
1261         if (rfcomm_check_security(d)) {
1262                 if (d->defer_setup) {
1263                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1264                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1265
1266                         rfcomm_dlc_lock(d);
1267                         d->state = BT_CONNECT2;
1268                         d->state_change(d, 0);
1269                         rfcomm_dlc_unlock(d);
1270                 } else
1271                         rfcomm_dlc_accept(d);
1272         } else {
1273                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1274                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1275         }
1276 }
1277
1278 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1279 {
1280         struct rfcomm_dlc *d;
1281         u8 channel;
1282
1283         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1284
1285         if (!dlci) {
1286                 rfcomm_send_ua(s, 0);
1287
1288                 if (s->state == BT_OPEN) {
1289                         s->state = BT_CONNECTED;
1290                         rfcomm_process_connect(s);
1291                 }
1292                 return 0;
1293         }
1294
1295         /* Check if DLC exists */
1296         d = rfcomm_dlc_get(s, dlci);
1297         if (d) {
1298                 if (d->state == BT_OPEN) {
1299                         /* DLC was previously opened by PN request */
1300                         rfcomm_check_accept(d);
1301                 }
1302                 return 0;
1303         }
1304
1305         /* Notify socket layer about incoming connection */
1306         channel = __srv_channel(dlci);
1307         if (rfcomm_connect_ind(s, channel, &d)) {
1308                 d->dlci = dlci;
1309                 d->addr = __addr(s->initiator, dlci);
1310                 rfcomm_dlc_link(s, d);
1311
1312                 rfcomm_check_accept(d);
1313         } else {
1314                 rfcomm_send_dm(s, dlci);
1315         }
1316
1317         return 0;
1318 }
1319
1320 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1321 {
1322         struct rfcomm_session *s = d->session;
1323
1324         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1325                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1326
1327         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1328                                                 pn->flow_ctrl == 0xe0) {
1329                 d->cfc = RFCOMM_CFC_ENABLED;
1330                 d->tx_credits = pn->credits;
1331         } else {
1332                 d->cfc = RFCOMM_CFC_DISABLED;
1333                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1334         }
1335
1336         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1337                 s->cfc = d->cfc;
1338
1339         d->priority = pn->priority;
1340
1341         d->mtu = __le16_to_cpu(pn->mtu);
1342
1343         if (cr && d->mtu > s->mtu)
1344                 d->mtu = s->mtu;
1345
1346         return 0;
1347 }
1348
1349 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1350 {
1351         struct rfcomm_pn *pn = (void *) skb->data;
1352         struct rfcomm_dlc *d;
1353         u8 dlci = pn->dlci;
1354
1355         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1356
1357         if (!dlci)
1358                 return 0;
1359
1360         d = rfcomm_dlc_get(s, dlci);
1361         if (d) {
1362                 if (cr) {
1363                         /* PN request */
1364                         rfcomm_apply_pn(d, cr, pn);
1365                         rfcomm_send_pn(s, 0, d);
1366                 } else {
1367                         /* PN response */
1368                         switch (d->state) {
1369                         case BT_CONFIG:
1370                                 rfcomm_apply_pn(d, cr, pn);
1371
1372                                 d->state = BT_CONNECT;
1373                                 rfcomm_send_sabm(s, d->dlci);
1374                                 break;
1375                         }
1376                 }
1377         } else {
1378                 u8 channel = __srv_channel(dlci);
1379
1380                 if (!cr)
1381                         return 0;
1382
1383                 /* PN request for non existing DLC.
1384                  * Assume incoming connection. */
1385                 if (rfcomm_connect_ind(s, channel, &d)) {
1386                         d->dlci = dlci;
1387                         d->addr = __addr(s->initiator, dlci);
1388                         rfcomm_dlc_link(s, d);
1389
1390                         rfcomm_apply_pn(d, cr, pn);
1391
1392                         d->state = BT_OPEN;
1393                         rfcomm_send_pn(s, 0, d);
1394                 } else {
1395                         rfcomm_send_dm(s, dlci);
1396                 }
1397         }
1398         return 0;
1399 }
1400
1401 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1402 {
1403         struct rfcomm_rpn *rpn = (void *) skb->data;
1404         u8 dlci = __get_dlci(rpn->dlci);
1405
1406         u8 bit_rate  = 0;
1407         u8 data_bits = 0;
1408         u8 stop_bits = 0;
1409         u8 parity    = 0;
1410         u8 flow_ctrl = 0;
1411         u8 xon_char  = 0;
1412         u8 xoff_char = 0;
1413         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1414
1415         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1416                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1417                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1418
1419         if (!cr)
1420                 return 0;
1421
1422         if (len == 1) {
1423                 /* This is a request, return default (according to ETSI TS 07.10) settings */
1424                 bit_rate  = RFCOMM_RPN_BR_9600;
1425                 data_bits = RFCOMM_RPN_DATA_8;
1426                 stop_bits = RFCOMM_RPN_STOP_1;
1427                 parity    = RFCOMM_RPN_PARITY_NONE;
1428                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1429                 xon_char  = RFCOMM_RPN_XON_CHAR;
1430                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1431                 goto rpn_out;
1432         }
1433
1434         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1435          * no parity, no flow control lines, normal XON/XOFF chars */
1436
1437         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1438                 bit_rate = rpn->bit_rate;
1439                 if (bit_rate > RFCOMM_RPN_BR_230400) {
1440                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1441                         bit_rate = RFCOMM_RPN_BR_9600;
1442                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1443                 }
1444         }
1445
1446         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1447                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1448                 if (data_bits != RFCOMM_RPN_DATA_8) {
1449                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1450                         data_bits = RFCOMM_RPN_DATA_8;
1451                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1452                 }
1453         }
1454
1455         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1456                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1457                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1458                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1459                         stop_bits = RFCOMM_RPN_STOP_1;
1460                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1461                 }
1462         }
1463
1464         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1465                 parity = __get_rpn_parity(rpn->line_settings);
1466                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1467                         BT_DBG("RPN parity mismatch 0x%x", parity);
1468                         parity = RFCOMM_RPN_PARITY_NONE;
1469                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1470                 }
1471         }
1472
1473         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1474                 flow_ctrl = rpn->flow_ctrl;
1475                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1476                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1477                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1478                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1479                 }
1480         }
1481
1482         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1483                 xon_char = rpn->xon_char;
1484                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1485                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1486                         xon_char = RFCOMM_RPN_XON_CHAR;
1487                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1488                 }
1489         }
1490
1491         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1492                 xoff_char = rpn->xoff_char;
1493                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1494                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1495                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1496                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1497                 }
1498         }
1499
1500 rpn_out:
1501         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1502                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1503
1504         return 0;
1505 }
1506
1507 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1508 {
1509         struct rfcomm_rls *rls = (void *) skb->data;
1510         u8 dlci = __get_dlci(rls->dlci);
1511
1512         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1513
1514         if (!cr)
1515                 return 0;
1516
1517         /* We should probably do something with this information here. But
1518          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1519          * mandatory to recognise and respond to RLS */
1520
1521         rfcomm_send_rls(s, 0, dlci, rls->status);
1522
1523         return 0;
1524 }
1525
1526 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1527 {
1528         struct rfcomm_msc *msc = (void *) skb->data;
1529         struct rfcomm_dlc *d;
1530         u8 dlci = __get_dlci(msc->dlci);
1531
1532         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1533
1534         d = rfcomm_dlc_get(s, dlci);
1535         if (!d)
1536                 return 0;
1537
1538         if (cr) {
1539                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1540                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1541                 else
1542                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1543
1544                 rfcomm_dlc_lock(d);
1545
1546                 d->remote_v24_sig = msc->v24_sig;
1547
1548                 if (d->modem_status)
1549                         d->modem_status(d, msc->v24_sig);
1550
1551                 rfcomm_dlc_unlock(d);
1552
1553                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1554
1555                 d->mscex |= RFCOMM_MSCEX_RX;
1556         } else
1557                 d->mscex |= RFCOMM_MSCEX_TX;
1558
1559         return 0;
1560 }
1561
1562 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1563 {
1564         struct rfcomm_mcc *mcc = (void *) skb->data;
1565         u8 type, cr, len;
1566
1567         cr   = __test_cr(mcc->type);
1568         type = __get_mcc_type(mcc->type);
1569         len  = __get_mcc_len(mcc->len);
1570
1571         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1572
1573         skb_pull(skb, 2);
1574
1575         switch (type) {
1576         case RFCOMM_PN:
1577                 rfcomm_recv_pn(s, cr, skb);
1578                 break;
1579
1580         case RFCOMM_RPN:
1581                 rfcomm_recv_rpn(s, cr, len, skb);
1582                 break;
1583
1584         case RFCOMM_RLS:
1585                 rfcomm_recv_rls(s, cr, skb);
1586                 break;
1587
1588         case RFCOMM_MSC:
1589                 rfcomm_recv_msc(s, cr, skb);
1590                 break;
1591
1592         case RFCOMM_FCOFF:
1593                 if (cr) {
1594                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1595                         rfcomm_send_fcoff(s, 0);
1596                 }
1597                 break;
1598
1599         case RFCOMM_FCON:
1600                 if (cr) {
1601                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1602                         rfcomm_send_fcon(s, 0);
1603                 }
1604                 break;
1605
1606         case RFCOMM_TEST:
1607                 if (cr)
1608                         rfcomm_send_test(s, 0, skb->data, skb->len);
1609                 break;
1610
1611         case RFCOMM_NSC:
1612                 break;
1613
1614         default:
1615                 BT_ERR("Unknown control type 0x%02x", type);
1616                 rfcomm_send_nsc(s, cr, type);
1617                 break;
1618         }
1619         return 0;
1620 }
1621
1622 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1623 {
1624         struct rfcomm_dlc *d;
1625
1626         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1627
1628         d = rfcomm_dlc_get(s, dlci);
1629         if (!d) {
1630                 rfcomm_send_dm(s, dlci);
1631                 goto drop;
1632         }
1633
1634         if (pf && d->cfc) {
1635                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1636
1637                 d->tx_credits += credits;
1638                 if (d->tx_credits)
1639                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1640         }
1641
1642         if (skb->len && d->state == BT_CONNECTED) {
1643                 rfcomm_dlc_lock(d);
1644                 d->rx_credits--;
1645                 d->data_ready(d, skb);
1646                 rfcomm_dlc_unlock(d);
1647                 return 0;
1648         }
1649
1650 drop:
1651         kfree_skb(skb);
1652         return 0;
1653 }
1654
1655 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1656 {
1657         struct rfcomm_hdr *hdr = (void *) skb->data;
1658         u8 type, dlci, fcs;
1659
1660         dlci = __get_dlci(hdr->addr);
1661         type = __get_type(hdr->ctrl);
1662
1663         /* Trim FCS */
1664         skb->len--; skb->tail--;
1665         fcs = *(u8 *)skb_tail_pointer(skb);
1666
1667         if (__check_fcs(skb->data, type, fcs)) {
1668                 BT_ERR("bad checksum in packet");
1669                 kfree_skb(skb);
1670                 return -EILSEQ;
1671         }
1672
1673         if (__test_ea(hdr->len))
1674                 skb_pull(skb, 3);
1675         else
1676                 skb_pull(skb, 4);
1677
1678         switch (type) {
1679         case RFCOMM_SABM:
1680                 if (__test_pf(hdr->ctrl))
1681                         rfcomm_recv_sabm(s, dlci);
1682                 break;
1683
1684         case RFCOMM_DISC:
1685                 if (__test_pf(hdr->ctrl))
1686                         rfcomm_recv_disc(s, dlci);
1687                 break;
1688
1689         case RFCOMM_UA:
1690                 if (__test_pf(hdr->ctrl))
1691                         rfcomm_recv_ua(s, dlci);
1692                 break;
1693
1694         case RFCOMM_DM:
1695                 rfcomm_recv_dm(s, dlci);
1696                 break;
1697
1698         case RFCOMM_UIH:
1699                 if (dlci)
1700                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1701
1702                 rfcomm_recv_mcc(s, skb);
1703                 break;
1704
1705         default:
1706                 BT_ERR("Unknown packet type 0x%02x", type);
1707                 break;
1708         }
1709         kfree_skb(skb);
1710         return 0;
1711 }
1712
1713 /* ---- Connection and data processing ---- */
1714
1715 static void rfcomm_process_connect(struct rfcomm_session *s)
1716 {
1717         struct rfcomm_dlc *d;
1718         struct list_head *p, *n;
1719
1720         BT_DBG("session %p state %ld", s, s->state);
1721
1722         list_for_each_safe(p, n, &s->dlcs) {
1723                 d = list_entry(p, struct rfcomm_dlc, list);
1724                 if (d->state == BT_CONFIG) {
1725                         d->mtu = s->mtu;
1726                         if (rfcomm_check_security(d)) {
1727                                 rfcomm_send_pn(s, 1, d);
1728                         } else {
1729                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1730                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1731                         }
1732                 }
1733         }
1734 }
1735
1736 /* Send data queued for the DLC.
1737  * Return number of frames left in the queue.
1738  */
1739 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1740 {
1741         struct sk_buff *skb;
1742         int err;
1743
1744         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1745                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1746
1747         /* Send pending MSC */
1748         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1749                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1750
1751         if (d->cfc) {
1752                 /* CFC enabled.
1753                  * Give them some credits */
1754                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1755                                 d->rx_credits <= (d->cfc >> 2)) {
1756                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1757                         d->rx_credits = d->cfc;
1758                 }
1759         } else {
1760                 /* CFC disabled.
1761                  * Give ourselves some credits */
1762                 d->tx_credits = 5;
1763         }
1764
1765         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1766                 return skb_queue_len(&d->tx_queue);
1767
1768         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1769                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1770                 if (err < 0) {
1771                         skb_queue_head(&d->tx_queue, skb);
1772                         break;
1773                 }
1774                 kfree_skb(skb);
1775                 d->tx_credits--;
1776         }
1777
1778         if (d->cfc && !d->tx_credits) {
1779                 /* We're out of TX credits.
1780                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1781                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1782         }
1783
1784         return skb_queue_len(&d->tx_queue);
1785 }
1786
1787 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1788 {
1789         struct rfcomm_dlc *d;
1790         struct list_head *p, *n;
1791
1792         BT_DBG("session %p state %ld", s, s->state);
1793
1794         list_for_each_safe(p, n, &s->dlcs) {
1795                 d = list_entry(p, struct rfcomm_dlc, list);
1796
1797                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1798                         __rfcomm_dlc_close(d, ETIMEDOUT);
1799                         continue;
1800                 }
1801
1802                 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1803                         __rfcomm_dlc_close(d, ECONNREFUSED);
1804                         continue;
1805                 }
1806
1807                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1808                         rfcomm_dlc_clear_timer(d);
1809                         if (d->out) {
1810                                 rfcomm_send_pn(s, 1, d);
1811                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1812                         } else {
1813                                 if (d->defer_setup) {
1814                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1815                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1816
1817                                         rfcomm_dlc_lock(d);
1818                                         d->state = BT_CONNECT2;
1819                                         d->state_change(d, 0);
1820                                         rfcomm_dlc_unlock(d);
1821                                 } else
1822                                         rfcomm_dlc_accept(d);
1823                         }
1824                         continue;
1825                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1826                         rfcomm_dlc_clear_timer(d);
1827                         if (!d->out)
1828                                 rfcomm_send_dm(s, d->dlci);
1829                         else
1830                                 d->state = BT_CLOSED;
1831                         __rfcomm_dlc_close(d, ECONNREFUSED);
1832                         continue;
1833                 }
1834
1835                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1836                         continue;
1837
1838                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1839                         continue;
1840
1841                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1842                                                 d->mscex == RFCOMM_MSCEX_OK)
1843                         rfcomm_process_tx(d);
1844         }
1845 }
1846
1847 static void rfcomm_process_rx(struct rfcomm_session *s)
1848 {
1849         struct socket *sock = s->sock;
1850         struct sock *sk = sock->sk;
1851         struct sk_buff *skb;
1852
1853         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1854
1855         /* Get data directly from socket receive queue without copying it. */
1856         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1857                 skb_orphan(skb);
1858                 if (!skb_linearize(skb))
1859                         rfcomm_recv_frame(s, skb);
1860                 else
1861                         kfree_skb(skb);
1862         }
1863
1864         if (sk->sk_state == BT_CLOSED) {
1865                 if (!s->initiator)
1866                         rfcomm_session_put(s);
1867
1868                 rfcomm_session_close(s, sk->sk_err);
1869         }
1870 }
1871
1872 static void rfcomm_accept_connection(struct rfcomm_session *s)
1873 {
1874         struct socket *sock = s->sock, *nsock;
1875         int err;
1876
1877         /* Fast check for a new connection.
1878          * Avoids unnesesary socket allocations. */
1879         if (list_empty(&bt_sk(sock->sk)->accept_q))
1880                 return;
1881
1882         BT_DBG("session %p", s);
1883
1884         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1885         if (err < 0)
1886                 return;
1887
1888         /* Set our callbacks */
1889         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1890         nsock->sk->sk_state_change = rfcomm_l2state_change;
1891
1892         s = rfcomm_session_add(nsock, BT_OPEN);
1893         if (s) {
1894                 rfcomm_session_hold(s);
1895
1896                 /* We should adjust MTU on incoming sessions.
1897                  * L2CAP MTU minus UIH header and FCS. */
1898                 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1899                                 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1900
1901                 rfcomm_schedule();
1902         } else
1903                 sock_release(nsock);
1904 }
1905
1906 static void rfcomm_check_connection(struct rfcomm_session *s)
1907 {
1908         struct sock *sk = s->sock->sk;
1909
1910         BT_DBG("%p state %ld", s, s->state);
1911
1912         switch (sk->sk_state) {
1913         case BT_CONNECTED:
1914                 s->state = BT_CONNECT;
1915
1916                 /* We can adjust MTU on outgoing sessions.
1917                  * L2CAP MTU minus UIH header and FCS. */
1918                 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1919
1920                 rfcomm_send_sabm(s, 0);
1921                 break;
1922
1923         case BT_CLOSED:
1924                 s->state = BT_CLOSED;
1925                 rfcomm_session_close(s, sk->sk_err);
1926                 break;
1927         }
1928 }
1929
1930 static void rfcomm_process_sessions(void)
1931 {
1932         struct list_head *p, *n;
1933
1934         rfcomm_lock();
1935
1936         list_for_each_safe(p, n, &session_list) {
1937                 struct rfcomm_session *s;
1938                 s = list_entry(p, struct rfcomm_session, list);
1939
1940                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1941                         s->state = BT_DISCONN;
1942                         rfcomm_send_disc(s, 0);
1943                         rfcomm_session_put(s);
1944                         continue;
1945                 }
1946
1947                 if (s->state == BT_LISTEN) {
1948                         rfcomm_accept_connection(s);
1949                         continue;
1950                 }
1951
1952                 rfcomm_session_hold(s);
1953
1954                 switch (s->state) {
1955                 case BT_BOUND:
1956                         rfcomm_check_connection(s);
1957                         break;
1958
1959                 default:
1960                         rfcomm_process_rx(s);
1961                         break;
1962                 }
1963
1964                 rfcomm_process_dlcs(s);
1965
1966                 rfcomm_session_put(s);
1967         }
1968
1969         rfcomm_unlock();
1970 }
1971
1972 static int rfcomm_add_listener(bdaddr_t *ba)
1973 {
1974         struct sockaddr_l2 addr;
1975         struct socket *sock;
1976         struct sock *sk;
1977         struct rfcomm_session *s;
1978         int    err = 0;
1979
1980         /* Create socket */
1981         err = rfcomm_l2sock_create(&sock);
1982         if (err < 0) {
1983                 BT_ERR("Create socket failed %d", err);
1984                 return err;
1985         }
1986
1987         /* Bind socket */
1988         bacpy(&addr.l2_bdaddr, ba);
1989         addr.l2_family = AF_BLUETOOTH;
1990         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
1991         addr.l2_cid    = 0;
1992         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1993         if (err < 0) {
1994                 BT_ERR("Bind failed %d", err);
1995                 goto failed;
1996         }
1997
1998         /* Set L2CAP options */
1999         sk = sock->sk;
2000         lock_sock(sk);
2001         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2002         release_sock(sk);
2003
2004         /* Start listening on the socket */
2005         err = kernel_listen(sock, 10);
2006         if (err) {
2007                 BT_ERR("Listen failed %d", err);
2008                 goto failed;
2009         }
2010
2011         /* Add listening session */
2012         s = rfcomm_session_add(sock, BT_LISTEN);
2013         if (!s)
2014                 goto failed;
2015
2016         rfcomm_session_hold(s);
2017         return 0;
2018 failed:
2019         sock_release(sock);
2020         return err;
2021 }
2022
2023 static void rfcomm_kill_listener(void)
2024 {
2025         struct rfcomm_session *s;
2026         struct list_head *p, *n;
2027
2028         BT_DBG("");
2029
2030         list_for_each_safe(p, n, &session_list) {
2031                 s = list_entry(p, struct rfcomm_session, list);
2032                 rfcomm_session_del(s);
2033         }
2034 }
2035
2036 static int rfcomm_run(void *unused)
2037 {
2038         BT_DBG("");
2039
2040         set_user_nice(current, -10);
2041
2042         rfcomm_add_listener(BDADDR_ANY);
2043
2044         while (1) {
2045                 set_current_state(TASK_INTERRUPTIBLE);
2046
2047                 if (kthread_should_stop())
2048                         break;
2049
2050                 /* Process stuff */
2051                 rfcomm_process_sessions();
2052
2053                 schedule();
2054         }
2055         __set_current_state(TASK_RUNNING);
2056
2057         rfcomm_kill_listener();
2058
2059         return 0;
2060 }
2061
2062 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2063 {
2064         struct rfcomm_session *s;
2065         struct rfcomm_dlc *d;
2066         struct list_head *p, *n;
2067
2068         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2069
2070         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2071         if (!s)
2072                 return;
2073
2074         rfcomm_session_hold(s);
2075
2076         list_for_each_safe(p, n, &s->dlcs) {
2077                 d = list_entry(p, struct rfcomm_dlc, list);
2078
2079                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2080                         rfcomm_dlc_clear_timer(d);
2081                         if (status || encrypt == 0x00) {
2082                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2083                                 continue;
2084                         }
2085                 }
2086
2087                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2088                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2089                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2090                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2091                                 continue;
2092                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2093                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2094                                 continue;
2095                         }
2096                 }
2097
2098                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2099                         continue;
2100
2101                 if (!status && hci_conn_check_secure(conn, d->sec_level))
2102                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2103                 else
2104                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2105         }
2106
2107         rfcomm_session_put(s);
2108
2109         rfcomm_schedule();
2110 }
2111
2112 static struct hci_cb rfcomm_cb = {
2113         .name           = "RFCOMM",
2114         .security_cfm   = rfcomm_security_cfm
2115 };
2116
2117 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2118 {
2119         struct rfcomm_session *s;
2120
2121         rfcomm_lock();
2122
2123         list_for_each_entry(s, &session_list, list) {
2124                 struct rfcomm_dlc *d;
2125                 list_for_each_entry(d, &s->dlcs, list) {
2126                         struct sock *sk = s->sock->sk;
2127
2128                         seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2129                                    &bt_sk(sk)->src, &bt_sk(sk)->dst,
2130                                    d->state, d->dlci, d->mtu,
2131                                    d->rx_credits, d->tx_credits);
2132                 }
2133         }
2134
2135         rfcomm_unlock();
2136
2137         return 0;
2138 }
2139
2140 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2141 {
2142         return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2143 }
2144
2145 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2146         .open           = rfcomm_dlc_debugfs_open,
2147         .read           = seq_read,
2148         .llseek         = seq_lseek,
2149         .release        = single_release,
2150 };
2151
2152 static struct dentry *rfcomm_dlc_debugfs;
2153
2154 /* ---- Initialization ---- */
2155 static int __init rfcomm_init(void)
2156 {
2157         int err;
2158
2159         hci_register_cb(&rfcomm_cb);
2160
2161         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2162         if (IS_ERR(rfcomm_thread)) {
2163                 err = PTR_ERR(rfcomm_thread);
2164                 goto unregister;
2165         }
2166
2167         if (bt_debugfs) {
2168                 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2169                                 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2170                 if (!rfcomm_dlc_debugfs)
2171                         BT_ERR("Failed to create RFCOMM debug file");
2172         }
2173
2174         err = rfcomm_init_ttys();
2175         if (err < 0)
2176                 goto stop;
2177
2178         err = rfcomm_init_sockets();
2179         if (err < 0)
2180                 goto cleanup;
2181
2182         BT_INFO("RFCOMM ver %s", VERSION);
2183
2184         return 0;
2185
2186 cleanup:
2187         rfcomm_cleanup_ttys();
2188
2189 stop:
2190         kthread_stop(rfcomm_thread);
2191
2192 unregister:
2193         hci_unregister_cb(&rfcomm_cb);
2194
2195         return err;
2196 }
2197
2198 static void __exit rfcomm_exit(void)
2199 {
2200         debugfs_remove(rfcomm_dlc_debugfs);
2201
2202         hci_unregister_cb(&rfcomm_cb);
2203
2204         kthread_stop(rfcomm_thread);
2205
2206         rfcomm_cleanup_ttys();
2207
2208         rfcomm_cleanup_sockets();
2209 }
2210
2211 module_init(rfcomm_init);
2212 module_exit(rfcomm_exit);
2213
2214 module_param(disable_cfc, bool, 0644);
2215 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2216
2217 module_param(channel_mtu, int, 0644);
2218 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2219
2220 module_param(l2cap_mtu, uint, 0644);
2221 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2222
2223 module_param(l2cap_ertm, bool, 0644);
2224 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2225
2226 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2227 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2228 MODULE_VERSION(VERSION);
2229 MODULE_LICENSE("GPL");
2230 MODULE_ALIAS("bt-proto-3");