net/bluetooth/rfcomm/core.c

   1 /*
   2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
   4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License version 2 as
   8    published by the Free Software Foundation;
   9
  10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  18
  19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  21    SOFTWARE IS DISCLAIMED.
  22 */
  23
  24 /*
  25  * Bluetooth RFCOMM core.
  26  */
  27
  28 #include <linux/module.h>
  29 #include <linux/errno.h>
  30 #include <linux/kernel.h>
  31 #include <linux/sched.h>
  32 #include <linux/signal.h>
  33 #include <linux/init.h>
  34 #include <linux/wait.h>
  35 #include <linux/device.h>
  36 #include <linux/debugfs.h>
  37 #include <linux/seq_file.h>
  38 #include <linux/net.h>
  39 #include <linux/mutex.h>
  40 #include <linux/kthread.h>
  41 #include <linux/slab.h>
  42
  43 #include <net/sock.h>
  44 #include <linux/uaccess.h>
  45 #include <asm/unaligned.h>
  46
  47 #include <net/bluetooth/bluetooth.h>
  48 #include <net/bluetooth/hci_core.h>
  49 #include <net/bluetooth/l2cap.h>
  50 #include <net/bluetooth/rfcomm.h>
  51
  52 #define VERSION "1.11"
  53
  54 static bool disable_cfc;
  55 static bool l2cap_ertm;
  56 static int channel_mtu = -1;
  57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
  58
  59 static struct task_struct *rfcomm_thread;
  60
  61 static DEFINE_MUTEX(rfcomm_mutex);
  62 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
  63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
  64
  65
  66 static LIST_HEAD(session_list);
  67
  68 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
  69 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
  70 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
  71 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
  72 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
  73 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
  74 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
  75 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
  76 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
  77 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
  78
  79 static void rfcomm_process_connect(struct rfcomm_session *s);
  80
  81 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
  82                                                         bdaddr_t *dst,
  83                                                         u8 sec_level,
  84                                                         int *err);
  85 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
  86 static void rfcomm_session_del(struct rfcomm_session *s);
  87
  88 /* ---- RFCOMM frame parsing macros ---- */
  89 #define __get_dlci(b)     ((b & 0xfc) >> 2)
  90 #define __get_channel(b)  ((b & 0xf8) >> 3)
  91 #define __get_dir(b)      ((b & 0x04) >> 2)
  92 #define __get_type(b)     ((b & 0xef))
  93
  94 #define __test_ea(b)      ((b & 0x01))
  95 #define __test_cr(b)      ((b & 0x02))
  96 #define __test_pf(b)      ((b & 0x10))
  97
  98 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
  99 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
 100 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
 101 #define __srv_channel(dlci)    (dlci >> 1)
 102 #define __dir(dlci)            (dlci & 0x01)
 103
 104 #define __len8(len)       (((len) << 1) | 1)
 105 #define __len16(len)      ((len) << 1)
 106
 107 /* MCC macros */
 108 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
 109 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
 110 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
 111
 112 /* RPN macros */
 113 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
 114 #define __get_rpn_data_bits(line) ((line) & 0x3)
 115 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
 116 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
 117
 118 static inline void rfcomm_schedule(void)
 119 {
 120         if (!rfcomm_thread)
 121                 return;
 122         wake_up_process(rfcomm_thread);
 123 }
 124
 125 static inline void rfcomm_session_put(struct rfcomm_session *s)
 126 {
 127         if (atomic_dec_and_test(&s->refcnt))
 128                 rfcomm_session_del(s);
 129 }
 130
 131 /* ---- RFCOMM FCS computation ---- */
 132
 133 /* reversed, 8-bit, poly=0x07 */
 134 static unsigned char rfcomm_crc_table[256] = {
 135         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
 136         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
 137         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
 138         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
 139
 140         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
 141         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
 142         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
 143         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
 144
 145         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
 146         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
 147         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
 148         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
 149
 150         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
 151         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
 152         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
 153         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
 154
 155         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
 156         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
 157         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
 158         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
 159
 160         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
 161         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
 162         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
 163         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
 164
 165         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
 166         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
 167         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
 168         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
 169
 170         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
 171         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
 172         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
 173         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
 174 };
 175
 176 /* CRC on 2 bytes */
 177 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
 178
 179 /* FCS on 2 bytes */
 180 static inline u8 __fcs(u8 *data)
 181 {
 182         return 0xff - __crc(data);
 183 }
 184
 185 /* FCS on 3 bytes */
 186 static inline u8 __fcs2(u8 *data)
 187 {
 188         return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
 189 }
 190
 191 /* Check FCS */
 192 static inline int __check_fcs(u8 *data, int type, u8 fcs)
 193 {
 194         u8 f = __crc(data);
 195
 196         if (type != RFCOMM_UIH)
 197                 f = rfcomm_crc_table[f ^ data[2]];
 198
 199         return rfcomm_crc_table[f ^ fcs] != 0xcf;
 200 }
 201
 202 /* ---- L2CAP callbacks ---- */
 203 static void rfcomm_l2state_change(struct sock *sk)
 204 {
 205         BT_DBG("%p state %d", sk, sk->sk_state);
 206         rfcomm_schedule();
 207 }
 208
 209 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
 210 {
 211         BT_DBG("%p bytes %d", sk, bytes);
 212         rfcomm_schedule();
 213 }
 214
 215 static int rfcomm_l2sock_create(struct socket **sock)
 216 {
 217         int err;
 218
 219         BT_DBG("");
 220
 221         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
 222         if (!err) {
 223                 struct sock *sk = (*sock)->sk;
 224                 sk->sk_data_ready   = rfcomm_l2data_ready;
 225                 sk->sk_state_change = rfcomm_l2state_change;
 226         }
 227         return err;
 228 }
 229
 230 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
 231 {
 232         struct sock *sk = d->session->sock->sk;
 233         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
 234
 235         __u8 auth_type;
 236
 237         switch (d->sec_level) {
 238         case BT_SECURITY_HIGH:
 239                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
 240                 break;
 241         case BT_SECURITY_MEDIUM:
 242                 auth_type = HCI_AT_GENERAL_BONDING;
 243                 break;
 244         default:
 245                 auth_type = HCI_AT_NO_BONDING;
 246                 break;
 247         }
 248
 249         return hci_conn_security(conn->hcon, d->sec_level, auth_type);
 250 }
 251
 252 static void rfcomm_session_timeout(unsigned long arg)
 253 {
 254         struct rfcomm_session *s = (void *) arg;
 255
 256         BT_DBG("session %p state %ld", s, s->state);
 257
 258         set_bit(RFCOMM_TIMED_OUT, &s->flags);
 259         rfcomm_schedule();
 260 }
 261
 262 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
 263 {
 264         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
 265
 266         if (!mod_timer(&s->timer, jiffies + timeout))
 267                 rfcomm_session_hold(s);
 268 }
 269
 270 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
 271 {
 272         BT_DBG("session %p state %ld", s, s->state);
 273
 274         if (timer_pending(&s->timer) && del_timer(&s->timer))
 275                 rfcomm_session_put(s);
 276 }
 277
 278 /* ---- RFCOMM DLCs ---- */
 279 static void rfcomm_dlc_timeout(unsigned long arg)
 280 {
 281         struct rfcomm_dlc *d = (void *) arg;
 282
 283         BT_DBG("dlc %p state %ld", d, d->state);
 284
 285         set_bit(RFCOMM_TIMED_OUT, &d->flags);
 286         rfcomm_dlc_put(d);
 287         rfcomm_schedule();
 288 }
 289
 290 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
 291 {
 292         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
 293
 294         if (!mod_timer(&d->timer, jiffies + timeout))
 295                 rfcomm_dlc_hold(d);
 296 }
 297
 298 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
 299 {
 300         BT_DBG("dlc %p state %ld", d, d->state);
 301
 302         if (timer_pending(&d->timer) && del_timer(&d->timer))
 303                 rfcomm_dlc_put(d);
 304 }
 305
 306 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
 307 {
 308         BT_DBG("%p", d);
 309
 310         d->state      = BT_OPEN;
 311         d->flags      = 0;
 312         d->mscex      = 0;
 313         d->sec_level  = BT_SECURITY_LOW;
 314         d->mtu        = RFCOMM_DEFAULT_MTU;
 315         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
 316
 317         d->cfc        = RFCOMM_CFC_DISABLED;
 318         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
 319 }
 320
 321 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
 322 {
 323         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
 324
 325         if (!d)
 326                 return NULL;
 327
 328         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
 329
 330         skb_queue_head_init(&d->tx_queue);
 331         spin_lock_init(&d->lock);
 332         atomic_set(&d->refcnt, 1);
 333
 334         rfcomm_dlc_clear_state(d);
 335
 336         BT_DBG("%p", d);
 337
 338         return d;
 339 }
 340
 341 void rfcomm_dlc_free(struct rfcomm_dlc *d)
 342 {
 343         BT_DBG("%p", d);
 344
 345         skb_queue_purge(&d->tx_queue);
 346         kfree(d);
 347 }
 348
 349 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
 350 {
 351         BT_DBG("dlc %p session %p", d, s);
 352
 353         rfcomm_session_hold(s);
 354
 355         rfcomm_session_clear_timer(s);
 356         rfcomm_dlc_hold(d);
 357         list_add(&d->list, &s->dlcs);
 358         d->session = s;
 359 }
 360
 361 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
 362 {
 363         struct rfcomm_session *s = d->session;
 364
 365         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
 366
 367         list_del(&d->list);
 368         d->session = NULL;
 369         rfcomm_dlc_put(d);
 370
 371         if (list_empty(&s->dlcs))
 372                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
 373
 374         rfcomm_session_put(s);
 375 }
 376
 377 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
 378 {
 379         struct rfcomm_dlc *d;
 380
 381         list_for_each_entry(d, &s->dlcs, list)
 382                 if (d->dlci == dlci)
 383                         return d;
 384
 385         return NULL;
 386 }
 387
 388 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
 389 {
 390         struct rfcomm_session *s;
 391         int err = 0;
 392         u8 dlci;
 393
 394         BT_DBG("dlc %p state %ld %s %s channel %d",
 395                         d, d->state, batostr(src), batostr(dst), channel);
 396
 397         if (channel < 1 || channel > 30)
 398                 return -EINVAL;
 399
 400         if (d->state != BT_OPEN && d->state != BT_CLOSED)
 401                 return 0;
 402
 403         s = rfcomm_session_get(src, dst);
 404         if (!s) {
 405                 s = rfcomm_session_create(src, dst, d->sec_level, &err);
 406                 if (!s)
 407                         return err;
 408         }
 409
 410         dlci = __dlci(!s->initiator, channel);
 411
 412         /* Check if DLCI already exists */
 413         if (rfcomm_dlc_get(s, dlci))
 414                 return -EBUSY;
 415
 416         rfcomm_dlc_clear_state(d);
 417
 418         d->dlci     = dlci;
 419         d->addr     = __addr(s->initiator, dlci);
 420         d->priority = 7;
 421
 422         d->state = BT_CONFIG;
 423         rfcomm_dlc_link(s, d);
 424
 425         d->out = 1;
 426
 427         d->mtu = s->mtu;
 428         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
 429
 430         if (s->state == BT_CONNECTED) {
 431                 if (rfcomm_check_security(d))
 432                         rfcomm_send_pn(s, 1, d);
 433                 else
 434                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
 435         }
 436
 437         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
 438
 439         return 0;
 440 }
 441
 442 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
 443 {
 444         int r;
 445
 446         rfcomm_lock();
 447
 448         r = __rfcomm_dlc_open(d, src, dst, channel);
 449
 450         rfcomm_unlock();
 451         return r;
 452 }
 453
 454 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 455 {
 456         struct rfcomm_session *s = d->session;
 457         if (!s)
 458                 return 0;
 459
 460         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
 461                         d, d->state, d->dlci, err, s);
 462
 463         switch (d->state) {
 464         case BT_CONNECT:
 465                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
 466                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
 467                         rfcomm_schedule();
 468                         break;
 469                 }
 470                 /* Fall through */
 471
 472         case BT_CONNECTED:
 473                 d->state = BT_DISCONN;
 474                 if (skb_queue_empty(&d->tx_queue)) {
 475                         rfcomm_send_disc(s, d->dlci);
 476                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
 477                 } else {
 478                         rfcomm_queue_disc(d);
 479                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
 480                 }
 481                 break;
 482
 483         case BT_OPEN:
 484         case BT_CONNECT2:
 485                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
 486                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
 487                         rfcomm_schedule();
 488                         break;
 489                 }
 490                 /* Fall through */
 491
 492         default:
 493                 rfcomm_dlc_clear_timer(d);
 494
 495                 rfcomm_dlc_lock(d);
 496                 d->state = BT_CLOSED;
 497                 d->state_change(d, err);
 498                 rfcomm_dlc_unlock(d);
 499
 500                 skb_queue_purge(&d->tx_queue);
 501                 rfcomm_dlc_unlink(d);
 502         }
 503
 504         return 0;
 505 }
 506
 507 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 508 {
 509         int r;
 510
 511         rfcomm_lock();
 512
 513         r = __rfcomm_dlc_close(d, err);
 514
 515         rfcomm_unlock();
 516         return r;
 517 }
 518
 519 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
 520 {
 521         int len = skb->len;
 522
 523         if (d->state != BT_CONNECTED)
 524                 return -ENOTCONN;
 525
 526         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
 527
 528         if (len > d->mtu)
 529                 return -EINVAL;
 530
 531         rfcomm_make_uih(skb, d->addr);
 532         skb_queue_tail(&d->tx_queue, skb);
 533
 534         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
 535                 rfcomm_schedule();
 536         return len;
 537 }
 538
 539 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
 540 {
 541         BT_DBG("dlc %p state %ld", d, d->state);
 542
 543         if (!d->cfc) {
 544                 d->v24_sig |= RFCOMM_V24_FC;
 545                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
 546         }
 547         rfcomm_schedule();
 548 }
 549
 550 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
 551 {
 552         BT_DBG("dlc %p state %ld", d, d->state);
 553
 554         if (!d->cfc) {
 555                 d->v24_sig &= ~RFCOMM_V24_FC;
 556                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
 557         }
 558         rfcomm_schedule();
 559 }
 560
 561 /*
 562    Set/get modem status functions use _local_ status i.e. what we report
 563    to the other side.
 564    Remote status is provided by dlc->modem_status() callback.
 565  */
 566 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
 567 {
 568         BT_DBG("dlc %p state %ld v24_sig 0x%x",
 569                         d, d->state, v24_sig);
 570
 571         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
 572                 v24_sig |= RFCOMM_V24_FC;
 573         else
 574                 v24_sig &= ~RFCOMM_V24_FC;
 575
 576         d->v24_sig = v24_sig;
 577
 578         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
 579                 rfcomm_schedule();
 580
 581         return 0;
 582 }
 583
 584 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
 585 {
 586         BT_DBG("dlc %p state %ld v24_sig 0x%x",
 587                         d, d->state, d->v24_sig);
 588
 589         *v24_sig = d->v24_sig;
 590         return 0;
 591 }
 592
 593 /* ---- RFCOMM sessions ---- */
 594 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
 595 {
 596         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
 597
 598         if (!s)
 599                 return NULL;
 600
 601         BT_DBG("session %p sock %p", s, sock);
 602
 603         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
 604
 605         INIT_LIST_HEAD(&s->dlcs);
 606         s->state = state;
 607         s->sock  = sock;
 608
 609         s->mtu = RFCOMM_DEFAULT_MTU;
 610         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
 611
 612         /* Do not increment module usage count for listening sessions.
 613          * Otherwise we won't be able to unload the module. */
 614         if (state != BT_LISTEN)
 615                 if (!try_module_get(THIS_MODULE)) {
 616                         kfree(s);
 617                         return NULL;
 618                 }
 619
 620         list_add(&s->list, &session_list);
 621
 622         return s;
 623 }
 624
 625 static void rfcomm_session_del(struct rfcomm_session *s)
 626 {
 627         int state = s->state;
 628
 629         BT_DBG("session %p state %ld", s, s->state);
 630
 631         list_del(&s->list);
 632
 633         if (state == BT_CONNECTED)
 634                 rfcomm_send_disc(s, 0);
 635
 636         rfcomm_session_clear_timer(s);
 637         sock_release(s->sock);
 638         kfree(s);
 639
 640         if (state != BT_LISTEN)
 641                 module_put(THIS_MODULE);
 642 }
 643
 644 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
 645 {
 646         struct rfcomm_session *s;
 647         struct list_head *p, *n;
 648         struct bt_sock *sk;
 649         list_for_each_safe(p, n, &session_list) {
 650                 s = list_entry(p, struct rfcomm_session, list);
 651                 sk = bt_sk(s->sock->sk);
 652
 653                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
 654                                 !bacmp(&sk->dst, dst))
 655                         return s;
 656         }
 657         return NULL;
 658 }
 659
 660 static void rfcomm_session_close(struct rfcomm_session *s, int err)
 661 {
 662         struct rfcomm_dlc *d;
 663         struct list_head *p, *n;
 664
 665         BT_DBG("session %p state %ld err %d", s, s->state, err);
 666
 667         rfcomm_session_hold(s);
 668
 669         s->state = BT_CLOSED;
 670
 671         /* Close all dlcs */
 672         list_for_each_safe(p, n, &s->dlcs) {
 673                 d = list_entry(p, struct rfcomm_dlc, list);
 674                 d->state = BT_CLOSED;
 675                 __rfcomm_dlc_close(d, err);
 676         }
 677
 678         rfcomm_session_clear_timer(s);
 679         rfcomm_session_put(s);
 680 }
 681
 682 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
 683                                                         bdaddr_t *dst,
 684                                                         u8 sec_level,
 685                                                         int *err)
 686 {
 687         struct rfcomm_session *s = NULL;
 688         struct sockaddr_l2 addr;
 689         struct socket *sock;
 690         struct sock *sk;
 691
 692         BT_DBG("%s %s", batostr(src), batostr(dst));
 693
 694         *err = rfcomm_l2sock_create(&sock);
 695         if (*err < 0)
 696                 return NULL;
 697
 698         bacpy(&addr.l2_bdaddr, src);
 699         addr.l2_family = AF_BLUETOOTH;
 700         addr.l2_psm    = 0;
 701         addr.l2_cid    = 0;
 702         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
 703         if (*err < 0)
 704                 goto failed;
 705
 706         /* Set L2CAP options */
 707         sk = sock->sk;
 708         lock_sock(sk);
 709         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
 710         l2cap_pi(sk)->chan->sec_level = sec_level;
 711         if (l2cap_ertm)
 712                 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
 713         release_sock(sk);
 714
 715         s = rfcomm_session_add(sock, BT_BOUND);
 716         if (!s) {
 717                 *err = -ENOMEM;
 718                 goto failed;
 719         }
 720
 721         s->initiator = 1;
 722
 723         bacpy(&addr.l2_bdaddr, dst);
 724         addr.l2_family = AF_BLUETOOTH;
 725         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
 726         addr.l2_cid    = 0;
 727         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
 728         if (*err == 0 || *err == -EINPROGRESS)
 729                 return s;
 730
 731         rfcomm_session_del(s);
 732         return NULL;
 733
 734 failed:
 735         sock_release(sock);
 736         return NULL;
 737 }
 738
 739 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
 740 {
 741         struct sock *sk = s->sock->sk;
 742         if (src)
 743                 bacpy(src, &bt_sk(sk)->src);
 744         if (dst)
 745                 bacpy(dst, &bt_sk(sk)->dst);
 746 }
 747
 748 /* ---- RFCOMM frame sending ---- */
 749 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
 750 {
 751         struct kvec iv = { data, len };
 752         struct msghdr msg;
 753
 754         BT_DBG("session %p len %d", s, len);
 755
 756         memset(&msg, 0, sizeof(msg));
 757
 758         return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
 759 }
 760
 761 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
 762 {
 763         BT_DBG("%p cmd %u", s, cmd->ctrl);
 764
 765         return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
 766 }
 767
 768 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
 769 {
 770         struct rfcomm_cmd cmd;
 771
 772         BT_DBG("%p dlci %d", s, dlci);
 773
 774         cmd.addr = __addr(s->initiator, dlci);
 775         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
 776         cmd.len  = __len8(0);
 777         cmd.fcs  = __fcs2((u8 *) &cmd);
 778
 779         return rfcomm_send_cmd(s, &cmd);
 780 }
 781
 782 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
 783 {
 784         struct rfcomm_cmd cmd;
 785
 786         BT_DBG("%p dlci %d", s, dlci);
 787
 788         cmd.addr = __addr(!s->initiator, dlci);
 789         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
 790         cmd.len  = __len8(0);
 791         cmd.fcs  = __fcs2((u8 *) &cmd);
 792
 793         return rfcomm_send_cmd(s, &cmd);
 794 }
 795
 796 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
 797 {
 798         struct rfcomm_cmd cmd;
 799
 800         BT_DBG("%p dlci %d", s, dlci);
 801
 802         cmd.addr = __addr(s->initiator, dlci);
 803         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
 804         cmd.len  = __len8(0);
 805         cmd.fcs  = __fcs2((u8 *) &cmd);
 806
 807         return rfcomm_send_cmd(s, &cmd);
 808 }
 809
 810 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
 811 {
 812         struct rfcomm_cmd *cmd;
 813         struct sk_buff *skb;
 814
 815         BT_DBG("dlc %p dlci %d", d, d->dlci);
 816
 817         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
 818         if (!skb)
 819                 return -ENOMEM;
 820
 821         cmd = (void *) __skb_put(skb, sizeof(*cmd));
 822         cmd->addr = d->addr;
 823         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
 824         cmd->len  = __len8(0);
 825         cmd->fcs  = __fcs2((u8 *) cmd);
 826
 827         skb_queue_tail(&d->tx_queue, skb);
 828         rfcomm_schedule();
 829         return 0;
 830 }
 831
 832 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
 833 {
 834         struct rfcomm_cmd cmd;
 835
 836         BT_DBG("%p dlci %d", s, dlci);
 837
 838         cmd.addr = __addr(!s->initiator, dlci);
 839         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
 840         cmd.len  = __len8(0);
 841         cmd.fcs  = __fcs2((u8 *) &cmd);
 842
 843         return rfcomm_send_cmd(s, &cmd);
 844 }
 845
 846 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
 847 {
 848         struct rfcomm_hdr *hdr;
 849         struct rfcomm_mcc *mcc;
 850         u8 buf[16], *ptr = buf;
 851
 852         BT_DBG("%p cr %d type %d", s, cr, type);
 853
 854         hdr = (void *) ptr; ptr += sizeof(*hdr);
 855         hdr->addr = __addr(s->initiator, 0);
 856         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 857         hdr->len  = __len8(sizeof(*mcc) + 1);
 858
 859         mcc = (void *) ptr; ptr += sizeof(*mcc);
 860         mcc->type = __mcc_type(cr, RFCOMM_NSC);
 861         mcc->len  = __len8(1);
 862
 863         /* Type that we didn't like */
 864         *ptr = __mcc_type(cr, type); ptr++;
 865
 866         *ptr = __fcs(buf); ptr++;
 867
 868         return rfcomm_send_frame(s, buf, ptr - buf);
 869 }
 870
 871 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
 872 {
 873         struct rfcomm_hdr *hdr;
 874         struct rfcomm_mcc *mcc;
 875         struct rfcomm_pn  *pn;
 876         u8 buf[16], *ptr = buf;
 877
 878         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
 879
 880         hdr = (void *) ptr; ptr += sizeof(*hdr);
 881         hdr->addr = __addr(s->initiator, 0);
 882         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 883         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
 884
 885         mcc = (void *) ptr; ptr += sizeof(*mcc);
 886         mcc->type = __mcc_type(cr, RFCOMM_PN);
 887         mcc->len  = __len8(sizeof(*pn));
 888
 889         pn = (void *) ptr; ptr += sizeof(*pn);
 890         pn->dlci        = d->dlci;
 891         pn->priority    = d->priority;
 892         pn->ack_timer   = 0;
 893         pn->max_retrans = 0;
 894
 895         if (s->cfc) {
 896                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
 897                 pn->credits = RFCOMM_DEFAULT_CREDITS;
 898         } else {
 899                 pn->flow_ctrl = 0;
 900                 pn->credits   = 0;
 901         }
 902
 903         if (cr && channel_mtu >= 0)
 904                 pn->mtu = cpu_to_le16(channel_mtu);
 905         else
 906                 pn->mtu = cpu_to_le16(d->mtu);
 907
 908         *ptr = __fcs(buf); ptr++;
 909
 910         return rfcomm_send_frame(s, buf, ptr - buf);
 911 }
 912
 913 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
 914                         u8 bit_rate, u8 data_bits, u8 stop_bits,
 915                         u8 parity, u8 flow_ctrl_settings,
 916                         u8 xon_char, u8 xoff_char, u16 param_mask)
 917 {
 918         struct rfcomm_hdr *hdr;
 919         struct rfcomm_mcc *mcc;
 920         struct rfcomm_rpn *rpn;
 921         u8 buf[16], *ptr = buf;
 922
 923         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
 924                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
 925                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
 926                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
 927
 928         hdr = (void *) ptr; ptr += sizeof(*hdr);
 929         hdr->addr = __addr(s->initiator, 0);
 930         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 931         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
 932
 933         mcc = (void *) ptr; ptr += sizeof(*mcc);
 934         mcc->type = __mcc_type(cr, RFCOMM_RPN);
 935         mcc->len  = __len8(sizeof(*rpn));
 936
 937         rpn = (void *) ptr; ptr += sizeof(*rpn);
 938         rpn->dlci          = __addr(1, dlci);
 939         rpn->bit_rate      = bit_rate;
 940         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
 941         rpn->flow_ctrl     = flow_ctrl_settings;
 942         rpn->xon_char      = xon_char;
 943         rpn->xoff_char     = xoff_char;
 944         rpn->param_mask    = cpu_to_le16(param_mask);
 945
 946         *ptr = __fcs(buf); ptr++;
 947
 948         return rfcomm_send_frame(s, buf, ptr - buf);
 949 }
 950
 951 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
 952 {
 953         struct rfcomm_hdr *hdr;
 954         struct rfcomm_mcc *mcc;
 955         struct rfcomm_rls *rls;
 956         u8 buf[16], *ptr = buf;
 957
 958         BT_DBG("%p cr %d status 0x%x", s, cr, status);
 959
 960         hdr = (void *) ptr; ptr += sizeof(*hdr);
 961         hdr->addr = __addr(s->initiator, 0);
 962         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 963         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
 964
 965         mcc = (void *) ptr; ptr += sizeof(*mcc);
 966         mcc->type = __mcc_type(cr, RFCOMM_RLS);
 967         mcc->len  = __len8(sizeof(*rls));
 968
 969         rls = (void *) ptr; ptr += sizeof(*rls);
 970         rls->dlci   = __addr(1, dlci);
 971         rls->status = status;
 972
 973         *ptr = __fcs(buf); ptr++;
 974
 975         return rfcomm_send_frame(s, buf, ptr - buf);
 976 }
 977
 978 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
 979 {
 980         struct rfcomm_hdr *hdr;
 981         struct rfcomm_mcc *mcc;
 982         struct rfcomm_msc *msc;
 983         u8 buf[16], *ptr = buf;
 984
 985         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
 986
 987         hdr = (void *) ptr; ptr += sizeof(*hdr);
 988         hdr->addr = __addr(s->initiator, 0);
 989         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 990         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
 991
 992         mcc = (void *) ptr; ptr += sizeof(*mcc);
 993         mcc->type = __mcc_type(cr, RFCOMM_MSC);
 994         mcc->len  = __len8(sizeof(*msc));
 995
 996         msc = (void *) ptr; ptr += sizeof(*msc);
 997         msc->dlci    = __addr(1, dlci);
 998         msc->v24_sig = v24_sig | 0x01;
 999
1000         *ptr = __fcs(buf); ptr++;
1001
1002         return rfcomm_send_frame(s, buf, ptr - buf);
1003 }
1004
1005 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1006 {
1007         struct rfcomm_hdr *hdr;
1008         struct rfcomm_mcc *mcc;
1009         u8 buf[16], *ptr = buf;
1010
1011         BT_DBG("%p cr %d", s, cr);
1012
1013         hdr = (void *) ptr; ptr += sizeof(*hdr);
1014         hdr->addr = __addr(s->initiator, 0);
1015         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1016         hdr->len  = __len8(sizeof(*mcc));
1017
1018         mcc = (void *) ptr; ptr += sizeof(*mcc);
1019         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1020         mcc->len  = __len8(0);
1021
1022         *ptr = __fcs(buf); ptr++;
1023
1024         return rfcomm_send_frame(s, buf, ptr - buf);
1025 }
1026
1027 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1028 {
1029         struct rfcomm_hdr *hdr;
1030         struct rfcomm_mcc *mcc;
1031         u8 buf[16], *ptr = buf;
1032
1033         BT_DBG("%p cr %d", s, cr);
1034
1035         hdr = (void *) ptr; ptr += sizeof(*hdr);
1036         hdr->addr = __addr(s->initiator, 0);
1037         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1038         hdr->len  = __len8(sizeof(*mcc));
1039
1040         mcc = (void *) ptr; ptr += sizeof(*mcc);
1041         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1042         mcc->len  = __len8(0);
1043
1044         *ptr = __fcs(buf); ptr++;
1045
1046         return rfcomm_send_frame(s, buf, ptr - buf);
1047 }
1048
1049 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1050 {
1051         struct socket *sock = s->sock;
1052         struct kvec iv[3];
1053         struct msghdr msg;
1054         unsigned char hdr[5], crc[1];
1055
1056         if (len > 125)
1057                 return -EINVAL;
1058
1059         BT_DBG("%p cr %d", s, cr);
1060
1061         hdr[0] = __addr(s->initiator, 0);
1062         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1063         hdr[2] = 0x01 | ((len + 2) << 1);
1064         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1065         hdr[4] = 0x01 | (len << 1);
1066
1067         crc[0] = __fcs(hdr);
1068
1069         iv[0].iov_base = hdr;
1070         iv[0].iov_len  = 5;
1071         iv[1].iov_base = pattern;
1072         iv[1].iov_len  = len;
1073         iv[2].iov_base = crc;
1074         iv[2].iov_len  = 1;
1075
1076         memset(&msg, 0, sizeof(msg));
1077
1078         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1079 }
1080
1081 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1082 {
1083         struct rfcomm_hdr *hdr;
1084         u8 buf[16], *ptr = buf;
1085
1086         BT_DBG("%p addr %d credits %d", s, addr, credits);
1087
1088         hdr = (void *) ptr; ptr += sizeof(*hdr);
1089         hdr->addr = addr;
1090         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1091         hdr->len  = __len8(0);
1092
1093         *ptr = credits; ptr++;
1094
1095         *ptr = __fcs(buf); ptr++;
1096
1097         return rfcomm_send_frame(s, buf, ptr - buf);
1098 }
1099
1100 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1101 {
1102         struct rfcomm_hdr *hdr;
1103         int len = skb->len;
1104         u8 *crc;
1105
1106         if (len > 127) {
1107                 hdr = (void *) skb_push(skb, 4);
1108                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1109         } else {
1110                 hdr = (void *) skb_push(skb, 3);
1111                 hdr->len = __len8(len);
1112         }
1113         hdr->addr = addr;
1114         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1115
1116         crc = skb_put(skb, 1);
1117         *crc = __fcs((void *) hdr);
1118 }
1119
1120 /* ---- RFCOMM frame reception ---- */
1121 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1122 {
1123         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1124
1125         if (dlci) {
1126                 /* Data channel */
1127                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1128                 if (!d) {
1129                         rfcomm_send_dm(s, dlci);
1130                         return 0;
1131                 }
1132
1133                 switch (d->state) {
1134                 case BT_CONNECT:
1135                         rfcomm_dlc_clear_timer(d);
1136
1137                         rfcomm_dlc_lock(d);
1138                         d->state = BT_CONNECTED;
1139                         d->state_change(d, 0);
1140                         rfcomm_dlc_unlock(d);
1141
1142                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1143                         break;
1144
1145                 case BT_DISCONN:
1146                         d->state = BT_CLOSED;
1147                         __rfcomm_dlc_close(d, 0);
1148
1149                         if (list_empty(&s->dlcs)) {
1150                                 s->state = BT_DISCONN;
1151                                 rfcomm_send_disc(s, 0);
1152                                 rfcomm_session_clear_timer(s);
1153                         }
1154
1155                         break;
1156                 }
1157         } else {
1158                 /* Control channel */
1159                 switch (s->state) {
1160                 case BT_CONNECT:
1161                         s->state = BT_CONNECTED;
1162                         rfcomm_process_connect(s);
1163                         break;
1164
1165                 case BT_DISCONN:
1166                         /* When socket is closed and we are not RFCOMM
1167                          * initiator rfcomm_process_rx already calls
1168                          * rfcomm_session_put() */
1169                         if (s->sock->sk->sk_state != BT_CLOSED)
1170                                 if (list_empty(&s->dlcs))
1171                                         rfcomm_session_put(s);
1172                         break;
1173                 }
1174         }
1175         return 0;
1176 }
1177
1178 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1179 {
1180         int err = 0;
1181
1182         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1183
1184         if (dlci) {
1185                 /* Data DLC */
1186                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1187                 if (d) {
1188                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1189                                 err = ECONNREFUSED;
1190                         else
1191                                 err = ECONNRESET;
1192
1193                         d->state = BT_CLOSED;
1194                         __rfcomm_dlc_close(d, err);
1195                 }
1196         } else {
1197                 if (s->state == BT_CONNECT)
1198                         err = ECONNREFUSED;
1199                 else
1200                         err = ECONNRESET;
1201
1202                 s->state = BT_CLOSED;
1203                 rfcomm_session_close(s, err);
1204         }
1205         return 0;
1206 }
1207
1208 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1209 {
1210         int err = 0;
1211
1212         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1213
1214         if (dlci) {
1215                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1216                 if (d) {
1217                         rfcomm_send_ua(s, dlci);
1218
1219                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1220                                 err = ECONNREFUSED;
1221                         else
1222                                 err = ECONNRESET;
1223
1224                         d->state = BT_CLOSED;
1225                         __rfcomm_dlc_close(d, err);
1226                 } else
1227                         rfcomm_send_dm(s, dlci);
1228
1229         } else {
1230                 rfcomm_send_ua(s, 0);
1231
1232                 if (s->state == BT_CONNECT)
1233                         err = ECONNREFUSED;
1234                 else
1235                         err = ECONNRESET;
1236
1237                 s->state = BT_CLOSED;
1238                 rfcomm_session_close(s, err);
1239         }
1240
1241         return 0;
1242 }
1243
1244 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1245 {
1246         struct sock *sk = d->session->sock->sk;
1247         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1248
1249         BT_DBG("dlc %p", d);
1250
1251         rfcomm_send_ua(d->session, d->dlci);
1252
1253         rfcomm_dlc_clear_timer(d);
1254
1255         rfcomm_dlc_lock(d);
1256         d->state = BT_CONNECTED;
1257         d->state_change(d, 0);
1258         rfcomm_dlc_unlock(d);
1259
1260         if (d->role_switch)
1261                 hci_conn_switch_role(conn->hcon, 0x00);
1262
1263         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1264 }
1265
1266 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1267 {
1268         if (rfcomm_check_security(d)) {
1269                 if (d->defer_setup) {
1270                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1271                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1272
1273                         rfcomm_dlc_lock(d);
1274                         d->state = BT_CONNECT2;
1275                         d->state_change(d, 0);
1276                         rfcomm_dlc_unlock(d);
1277                 } else
1278                         rfcomm_dlc_accept(d);
1279         } else {
1280                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1281                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1282         }
1283 }
1284
1285 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1286 {
1287         struct rfcomm_dlc *d;
1288         u8 channel;
1289
1290         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1291
1292         if (!dlci) {
1293                 rfcomm_send_ua(s, 0);
1294
1295                 if (s->state == BT_OPEN) {
1296                         s->state = BT_CONNECTED;
1297                         rfcomm_process_connect(s);
1298                 }
1299                 return 0;
1300         }
1301
1302         /* Check if DLC exists */
1303         d = rfcomm_dlc_get(s, dlci);
1304         if (d) {
1305                 if (d->state == BT_OPEN) {
1306                         /* DLC was previously opened by PN request */
1307                         rfcomm_check_accept(d);
1308                 }
1309                 return 0;
1310         }
1311
1312         /* Notify socket layer about incoming connection */
1313         channel = __srv_channel(dlci);
1314         if (rfcomm_connect_ind(s, channel, &d)) {
1315                 d->dlci = dlci;
1316                 d->addr = __addr(s->initiator, dlci);
1317                 rfcomm_dlc_link(s, d);
1318
1319                 rfcomm_check_accept(d);
1320         } else {
1321                 rfcomm_send_dm(s, dlci);
1322         }
1323
1324         return 0;
1325 }
1326
1327 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1328 {
1329         struct rfcomm_session *s = d->session;
1330
1331         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1332                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1333
1334         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1335                                                 pn->flow_ctrl == 0xe0) {
1336                 d->cfc = RFCOMM_CFC_ENABLED;
1337                 d->tx_credits = pn->credits;
1338         } else {
1339                 d->cfc = RFCOMM_CFC_DISABLED;
1340                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1341         }
1342
1343         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1344                 s->cfc = d->cfc;
1345
1346         d->priority = pn->priority;
1347
1348         d->mtu = __le16_to_cpu(pn->mtu);
1349
1350         if (cr && d->mtu > s->mtu)
1351                 d->mtu = s->mtu;
1352
1353         return 0;
1354 }
1355
1356 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1357 {
1358         struct rfcomm_pn *pn = (void *) skb->data;
1359         struct rfcomm_dlc *d;
1360         u8 dlci = pn->dlci;
1361
1362         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1363
1364         if (!dlci)
1365                 return 0;
1366
1367         d = rfcomm_dlc_get(s, dlci);
1368         if (d) {
1369                 if (cr) {
1370                         /* PN request */
1371                         rfcomm_apply_pn(d, cr, pn);
1372                         rfcomm_send_pn(s, 0, d);
1373                 } else {
1374                         /* PN response */
1375                         switch (d->state) {
1376                         case BT_CONFIG:
1377                                 rfcomm_apply_pn(d, cr, pn);
1378
1379                                 d->state = BT_CONNECT;
1380                                 rfcomm_send_sabm(s, d->dlci);
1381                                 break;
1382                         }
1383                 }
1384         } else {
1385                 u8 channel = __srv_channel(dlci);
1386
1387                 if (!cr)
1388                         return 0;
1389
1390                 /* PN request for non existing DLC.
1391                  * Assume incoming connection. */
1392                 if (rfcomm_connect_ind(s, channel, &d)) {
1393                         d->dlci = dlci;
1394                         d->addr = __addr(s->initiator, dlci);
1395                         rfcomm_dlc_link(s, d);
1396
1397                         rfcomm_apply_pn(d, cr, pn);
1398
1399                         d->state = BT_OPEN;
1400                         rfcomm_send_pn(s, 0, d);
1401                 } else {
1402                         rfcomm_send_dm(s, dlci);
1403                 }
1404         }
1405         return 0;
1406 }
1407
1408 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1409 {
1410         struct rfcomm_rpn *rpn = (void *) skb->data;
1411         u8 dlci = __get_dlci(rpn->dlci);
1412
1413         u8 bit_rate  = 0;
1414         u8 data_bits = 0;
1415         u8 stop_bits = 0;
1416         u8 parity    = 0;
1417         u8 flow_ctrl = 0;
1418         u8 xon_char  = 0;
1419         u8 xoff_char = 0;
1420         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1421
1422         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1423                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1424                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1425
1426         if (!cr)
1427                 return 0;
1428
1429         if (len == 1) {
1430                 /* This is a request, return default (according to ETSI TS 07.10) settings */
1431                 bit_rate  = RFCOMM_RPN_BR_9600;
1432                 data_bits = RFCOMM_RPN_DATA_8;
1433                 stop_bits = RFCOMM_RPN_STOP_1;
1434                 parity    = RFCOMM_RPN_PARITY_NONE;
1435                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1436                 xon_char  = RFCOMM_RPN_XON_CHAR;
1437                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1438                 goto rpn_out;
1439         }
1440
1441         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1442          * no parity, no flow control lines, normal XON/XOFF chars */
1443
1444         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1445                 bit_rate = rpn->bit_rate;
1446                 if (bit_rate > RFCOMM_RPN_BR_230400) {
1447                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1448                         bit_rate = RFCOMM_RPN_BR_9600;
1449                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1450                 }
1451         }
1452
1453         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1454                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1455                 if (data_bits != RFCOMM_RPN_DATA_8) {
1456                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1457                         data_bits = RFCOMM_RPN_DATA_8;
1458                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1459                 }
1460         }
1461
1462         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1463                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1464                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1465                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1466                         stop_bits = RFCOMM_RPN_STOP_1;
1467                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1468                 }
1469         }
1470
1471         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1472                 parity = __get_rpn_parity(rpn->line_settings);
1473                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1474                         BT_DBG("RPN parity mismatch 0x%x", parity);
1475                         parity = RFCOMM_RPN_PARITY_NONE;
1476                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1477                 }
1478         }
1479
1480         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1481                 flow_ctrl = rpn->flow_ctrl;
1482                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1483                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1484                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1485                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1486                 }
1487         }
1488
1489         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1490                 xon_char = rpn->xon_char;
1491                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1492                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1493                         xon_char = RFCOMM_RPN_XON_CHAR;
1494                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1495                 }
1496         }
1497
1498         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1499                 xoff_char = rpn->xoff_char;
1500                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1501                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1502                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1503                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1504                 }
1505         }
1506
1507 rpn_out:
1508         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1509                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1510
1511         return 0;
1512 }
1513
1514 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1515 {
1516         struct rfcomm_rls *rls = (void *) skb->data;
1517         u8 dlci = __get_dlci(rls->dlci);
1518
1519         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1520
1521         if (!cr)
1522                 return 0;
1523
1524         /* We should probably do something with this information here. But
1525          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1526          * mandatory to recognise and respond to RLS */
1527
1528         rfcomm_send_rls(s, 0, dlci, rls->status);
1529
1530         return 0;
1531 }
1532
1533 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1534 {
1535         struct rfcomm_msc *msc = (void *) skb->data;
1536         struct rfcomm_dlc *d;
1537         u8 dlci = __get_dlci(msc->dlci);
1538
1539         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1540
1541         d = rfcomm_dlc_get(s, dlci);
1542         if (!d)
1543                 return 0;
1544
1545         if (cr) {
1546                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1547                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1548                 else
1549                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1550
1551                 rfcomm_dlc_lock(d);
1552
1553                 d->remote_v24_sig = msc->v24_sig;
1554
1555                 if (d->modem_status)
1556                         d->modem_status(d, msc->v24_sig);
1557
1558                 rfcomm_dlc_unlock(d);
1559
1560                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1561
1562                 d->mscex |= RFCOMM_MSCEX_RX;
1563         } else
1564                 d->mscex |= RFCOMM_MSCEX_TX;
1565
1566         return 0;
1567 }
1568
1569 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1570 {
1571         struct rfcomm_mcc *mcc = (void *) skb->data;
1572         u8 type, cr, len;
1573
1574         cr   = __test_cr(mcc->type);
1575         type = __get_mcc_type(mcc->type);
1576         len  = __get_mcc_len(mcc->len);
1577
1578         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1579
1580         skb_pull(skb, 2);
1581
1582         switch (type) {
1583         case RFCOMM_PN:
1584                 rfcomm_recv_pn(s, cr, skb);
1585                 break;
1586
1587         case RFCOMM_RPN:
1588                 rfcomm_recv_rpn(s, cr, len, skb);
1589                 break;
1590
1591         case RFCOMM_RLS:
1592                 rfcomm_recv_rls(s, cr, skb);
1593                 break;
1594
1595         case RFCOMM_MSC:
1596                 rfcomm_recv_msc(s, cr, skb);
1597                 break;
1598
1599         case RFCOMM_FCOFF:
1600                 if (cr) {
1601                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1602                         rfcomm_send_fcoff(s, 0);
1603                 }
1604                 break;
1605
1606         case RFCOMM_FCON:
1607                 if (cr) {
1608                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1609                         rfcomm_send_fcon(s, 0);
1610                 }
1611                 break;
1612
1613         case RFCOMM_TEST:
1614                 if (cr)
1615                         rfcomm_send_test(s, 0, skb->data, skb->len);
1616                 break;
1617
1618         case RFCOMM_NSC:
1619                 break;
1620
1621         default:
1622                 BT_ERR("Unknown control type 0x%02x", type);
1623                 rfcomm_send_nsc(s, cr, type);
1624                 break;
1625         }
1626         return 0;
1627 }
1628
1629 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1630 {
1631         struct rfcomm_dlc *d;
1632
1633         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1634
1635         d = rfcomm_dlc_get(s, dlci);
1636         if (!d) {
1637                 rfcomm_send_dm(s, dlci);
1638                 goto drop;
1639         }
1640
1641         if (pf && d->cfc) {
1642                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1643
1644                 d->tx_credits += credits;
1645                 if (d->tx_credits)
1646                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1647         }
1648
1649         if (skb->len && d->state == BT_CONNECTED) {
1650                 rfcomm_dlc_lock(d);
1651                 d->rx_credits--;
1652                 d->data_ready(d, skb);
1653                 rfcomm_dlc_unlock(d);
1654                 return 0;
1655         }
1656
1657 drop:
1658         kfree_skb(skb);
1659         return 0;
1660 }
1661
1662 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1663 {
1664         struct rfcomm_hdr *hdr = (void *) skb->data;
1665         u8 type, dlci, fcs;
1666
1667         dlci = __get_dlci(hdr->addr);
1668         type = __get_type(hdr->ctrl);
1669
1670         /* Trim FCS */
1671         skb->len--; skb->tail--;
1672         fcs = *(u8 *)skb_tail_pointer(skb);
1673
1674         if (__check_fcs(skb->data, type, fcs)) {
1675                 BT_ERR("bad checksum in packet");
1676                 kfree_skb(skb);
1677                 return -EILSEQ;
1678         }
1679
1680         if (__test_ea(hdr->len))
1681                 skb_pull(skb, 3);
1682         else
1683                 skb_pull(skb, 4);
1684
1685         switch (type) {
1686         case RFCOMM_SABM:
1687                 if (__test_pf(hdr->ctrl))
1688                         rfcomm_recv_sabm(s, dlci);
1689                 break;
1690
1691         case RFCOMM_DISC:
1692                 if (__test_pf(hdr->ctrl))
1693                         rfcomm_recv_disc(s, dlci);
1694                 break;
1695
1696         case RFCOMM_UA:
1697                 if (__test_pf(hdr->ctrl))
1698                         rfcomm_recv_ua(s, dlci);
1699                 break;
1700
1701         case RFCOMM_DM:
1702                 rfcomm_recv_dm(s, dlci);
1703                 break;
1704
1705         case RFCOMM_UIH:
1706                 if (dlci)
1707                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1708
1709                 rfcomm_recv_mcc(s, skb);
1710                 break;
1711
1712         default:
1713                 BT_ERR("Unknown packet type 0x%02x", type);
1714                 break;
1715         }
1716         kfree_skb(skb);
1717         return 0;
1718 }
1719
1720 /* ---- Connection and data processing ---- */
1721
1722 static void rfcomm_process_connect(struct rfcomm_session *s)
1723 {
1724         struct rfcomm_dlc *d;
1725         struct list_head *p, *n;
1726
1727         BT_DBG("session %p state %ld", s, s->state);
1728
1729         list_for_each_safe(p, n, &s->dlcs) {
1730                 d = list_entry(p, struct rfcomm_dlc, list);
1731                 if (d->state == BT_CONFIG) {
1732                         d->mtu = s->mtu;
1733                         if (rfcomm_check_security(d)) {
1734                                 rfcomm_send_pn(s, 1, d);
1735                         } else {
1736                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1737                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1738                         }
1739                 }
1740         }
1741 }
1742
1743 /* Send data queued for the DLC.
1744  * Return number of frames left in the queue.
1745  */
1746 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1747 {
1748         struct sk_buff *skb;
1749         int err;
1750
1751         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1752                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1753
1754         /* Send pending MSC */
1755         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1756                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1757
1758         if (d->cfc) {
1759                 /* CFC enabled.
1760                  * Give them some credits */
1761                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1762                                 d->rx_credits <= (d->cfc >> 2)) {
1763                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1764                         d->rx_credits = d->cfc;
1765                 }
1766         } else {
1767                 /* CFC disabled.
1768                  * Give ourselves some credits */
1769                 d->tx_credits = 5;
1770         }
1771
1772         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1773                 return skb_queue_len(&d->tx_queue);
1774
1775         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1776                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1777                 if (err < 0) {
1778                         skb_queue_head(&d->tx_queue, skb);
1779                         break;
1780                 }
1781                 kfree_skb(skb);
1782                 d->tx_credits--;
1783         }
1784
1785         if (d->cfc && !d->tx_credits) {
1786                 /* We're out of TX credits.
1787                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1788                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1789         }
1790
1791         return skb_queue_len(&d->tx_queue);
1792 }
1793
1794 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1795 {
1796         struct rfcomm_dlc *d;
1797         struct list_head *p, *n;
1798
1799         BT_DBG("session %p state %ld", s, s->state);
1800
1801         list_for_each_safe(p, n, &s->dlcs) {
1802                 d = list_entry(p, struct rfcomm_dlc, list);
1803
1804                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1805                         __rfcomm_dlc_close(d, ETIMEDOUT);
1806                         continue;
1807                 }
1808
1809                 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1810                         __rfcomm_dlc_close(d, ECONNREFUSED);
1811                         continue;
1812                 }
1813
1814                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1815                         rfcomm_dlc_clear_timer(d);
1816                         if (d->out) {
1817                                 rfcomm_send_pn(s, 1, d);
1818                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1819                         } else {
1820                                 if (d->defer_setup) {
1821                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1822                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1823
1824                                         rfcomm_dlc_lock(d);
1825                                         d->state = BT_CONNECT2;
1826                                         d->state_change(d, 0);
1827                                         rfcomm_dlc_unlock(d);
1828                                 } else
1829                                         rfcomm_dlc_accept(d);
1830                         }
1831                         continue;
1832                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1833                         rfcomm_dlc_clear_timer(d);
1834                         if (!d->out)
1835                                 rfcomm_send_dm(s, d->dlci);
1836                         else
1837                                 d->state = BT_CLOSED;
1838                         __rfcomm_dlc_close(d, ECONNREFUSED);
1839                         continue;
1840                 }
1841
1842                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1843                         continue;
1844
1845                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1846                         continue;
1847
1848                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1849                                                 d->mscex == RFCOMM_MSCEX_OK)
1850                         rfcomm_process_tx(d);
1851         }
1852 }
1853
1854 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1855 {
1856         struct socket *sock = s->sock;
1857         struct sock *sk = sock->sk;
1858         struct sk_buff *skb;
1859
1860         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1861
1862         /* Get data directly from socket receive queue without copying it. */
1863         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1864                 skb_orphan(skb);
1865                 if (!skb_linearize(skb))
1866                         rfcomm_recv_frame(s, skb);
1867                 else
1868                         kfree_skb(skb);
1869         }
1870
1871         if (sk->sk_state == BT_CLOSED) {
1872                 if (!s->initiator)
1873                         rfcomm_session_put(s);
1874
1875                 rfcomm_session_close(s, sk->sk_err);
1876         }
1877 }
1878
1879 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1880 {
1881         struct socket *sock = s->sock, *nsock;
1882         int err;
1883
1884         /* Fast check for a new connection.
1885          * Avoids unnesesary socket allocations. */
1886         if (list_empty(&bt_sk(sock->sk)->accept_q))
1887                 return;
1888
1889         BT_DBG("session %p", s);
1890
1891         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1892         if (err < 0)
1893                 return;
1894
1895         /* Set our callbacks */
1896         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1897         nsock->sk->sk_state_change = rfcomm_l2state_change;
1898
1899         s = rfcomm_session_add(nsock, BT_OPEN);
1900         if (s) {
1901                 rfcomm_session_hold(s);
1902
1903                 /* We should adjust MTU on incoming sessions.
1904                  * L2CAP MTU minus UIH header and FCS. */
1905                 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1906                                 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1907
1908                 rfcomm_schedule();
1909         } else
1910                 sock_release(nsock);
1911 }
1912
1913 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1914 {
1915         struct sock *sk = s->sock->sk;
1916
1917         BT_DBG("%p state %ld", s, s->state);
1918
1919         switch (sk->sk_state) {
1920         case BT_CONNECTED:
1921                 s->state = BT_CONNECT;
1922
1923                 /* We can adjust MTU on outgoing sessions.
1924                  * L2CAP MTU minus UIH header and FCS. */
1925                 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1926
1927                 rfcomm_send_sabm(s, 0);
1928                 break;
1929
1930         case BT_CLOSED:
1931                 s->state = BT_CLOSED;
1932                 rfcomm_session_close(s, sk->sk_err);
1933                 break;
1934         }
1935 }
1936
1937 static inline void rfcomm_process_sessions(void)
1938 {
1939         struct list_head *p, *n;
1940
1941         rfcomm_lock();
1942
1943         list_for_each_safe(p, n, &session_list) {
1944                 struct rfcomm_session *s;
1945                 s = list_entry(p, struct rfcomm_session, list);
1946
1947                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1948                         s->state = BT_DISCONN;
1949                         rfcomm_send_disc(s, 0);
1950                         rfcomm_session_put(s);
1951                         continue;
1952                 }
1953
1954                 if (s->state == BT_LISTEN) {
1955                         rfcomm_accept_connection(s);
1956                         continue;
1957                 }
1958
1959                 rfcomm_session_hold(s);
1960
1961                 switch (s->state) {
1962                 case BT_BOUND:
1963                         rfcomm_check_connection(s);
1964                         break;
1965
1966                 default:
1967                         rfcomm_process_rx(s);
1968                         break;
1969                 }
1970
1971                 rfcomm_process_dlcs(s);
1972
1973                 rfcomm_session_put(s);
1974         }
1975
1976         rfcomm_unlock();
1977 }
1978
1979 static int rfcomm_add_listener(bdaddr_t *ba)
1980 {
1981         struct sockaddr_l2 addr;
1982         struct socket *sock;
1983         struct sock *sk;
1984         struct rfcomm_session *s;
1985         int    err = 0;
1986
1987         /* Create socket */
1988         err = rfcomm_l2sock_create(&sock);
1989         if (err < 0) {
1990                 BT_ERR("Create socket failed %d", err);
1991                 return err;
1992         }
1993
1994         /* Bind socket */
1995         bacpy(&addr.l2_bdaddr, ba);
1996         addr.l2_family = AF_BLUETOOTH;
1997         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
1998         addr.l2_cid    = 0;
1999         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2000         if (err < 0) {
2001                 BT_ERR("Bind failed %d", err);
2002                 goto failed;
2003         }
2004
2005         /* Set L2CAP options */
2006         sk = sock->sk;
2007         lock_sock(sk);
2008         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2009         release_sock(sk);
2010
2011         /* Start listening on the socket */
2012         err = kernel_listen(sock, 10);
2013         if (err) {
2014                 BT_ERR("Listen failed %d", err);
2015                 goto failed;
2016         }
2017
2018         /* Add listening session */
2019         s = rfcomm_session_add(sock, BT_LISTEN);
2020         if (!s)
2021                 goto failed;
2022
2023         rfcomm_session_hold(s);
2024         return 0;
2025 failed:
2026         sock_release(sock);
2027         return err;
2028 }
2029
2030 static void rfcomm_kill_listener(void)
2031 {
2032         struct rfcomm_session *s;
2033         struct list_head *p, *n;
2034
2035         BT_DBG("");
2036
2037         list_for_each_safe(p, n, &session_list) {
2038                 s = list_entry(p, struct rfcomm_session, list);
2039                 rfcomm_session_del(s);
2040         }
2041 }
2042
2043 static int rfcomm_run(void *unused)
2044 {
2045         BT_DBG("");
2046
2047         set_user_nice(current, -10);
2048
2049         rfcomm_add_listener(BDADDR_ANY);
2050
2051         while (1) {
2052                 set_current_state(TASK_INTERRUPTIBLE);
2053
2054                 if (kthread_should_stop())
2055                         break;
2056
2057                 /* Process stuff */
2058                 rfcomm_process_sessions();
2059
2060                 schedule();
2061         }
2062         __set_current_state(TASK_RUNNING);
2063
2064         rfcomm_kill_listener();
2065
2066         return 0;
2067 }
2068
2069 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2070 {
2071         struct rfcomm_session *s;
2072         struct rfcomm_dlc *d;
2073         struct list_head *p, *n;
2074
2075         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2076
2077         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2078         if (!s)
2079                 return;
2080
2081         rfcomm_session_hold(s);
2082
2083         list_for_each_safe(p, n, &s->dlcs) {
2084                 d = list_entry(p, struct rfcomm_dlc, list);
2085
2086                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2087                         rfcomm_dlc_clear_timer(d);
2088                         if (status || encrypt == 0x00) {
2089                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2090                                 continue;
2091                         }
2092                 }
2093
2094                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2095                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2096                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2097                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2098                                 continue;
2099                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2100                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2101                                 continue;
2102                         }
2103                 }
2104
2105                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2106                         continue;
2107
2108                 if (!status && hci_conn_check_secure(conn, d->sec_level))
2109                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2110                 else
2111                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2112         }
2113
2114         rfcomm_session_put(s);
2115
2116         rfcomm_schedule();
2117 }
2118
2119 static struct hci_cb rfcomm_cb = {
2120         .name           = "RFCOMM",
2121         .security_cfm   = rfcomm_security_cfm
2122 };
2123
2124 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2125 {
2126         struct rfcomm_session *s;
2127
2128         rfcomm_lock();
2129
2130         list_for_each_entry(s, &session_list, list) {
2131                 struct rfcomm_dlc *d;
2132                 list_for_each_entry(d, &s->dlcs, list) {
2133                         struct sock *sk = s->sock->sk;
2134
2135                         seq_printf(f, "%s %s %ld %d %d %d %d\n",
2136                                                 batostr(&bt_sk(sk)->src),
2137                                                 batostr(&bt_sk(sk)->dst),
2138                                                 d->state, d->dlci, d->mtu,
2139                                                 d->rx_credits, d->tx_credits);
2140                 }
2141         }
2142
2143         rfcomm_unlock();
2144
2145         return 0;
2146 }
2147
2148 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2149 {
2150         return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2151 }
2152
2153 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2154         .open           = rfcomm_dlc_debugfs_open,
2155         .read           = seq_read,
2156         .llseek         = seq_lseek,
2157         .release        = single_release,
2158 };
2159
2160 static struct dentry *rfcomm_dlc_debugfs;
2161
2162 /* ---- Initialization ---- */
2163 static int __init rfcomm_init(void)
2164 {
2165         int err;
2166
2167         hci_register_cb(&rfcomm_cb);
2168
2169         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2170         if (IS_ERR(rfcomm_thread)) {
2171                 err = PTR_ERR(rfcomm_thread);
2172                 goto unregister;
2173         }
2174
2175         if (bt_debugfs) {
2176                 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2177                                 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2178                 if (!rfcomm_dlc_debugfs)
2179                         BT_ERR("Failed to create RFCOMM debug file");
2180         }
2181
2182         err = rfcomm_init_ttys();
2183         if (err < 0)
2184                 goto stop;
2185
2186         err = rfcomm_init_sockets();
2187         if (err < 0)
2188                 goto cleanup;
2189
2190         BT_INFO("RFCOMM ver %s", VERSION);
2191
2192         return 0;
2193
2194 cleanup:
2195         rfcomm_cleanup_ttys();
2196
2197 stop:
2198         kthread_stop(rfcomm_thread);
2199
2200 unregister:
2201         hci_unregister_cb(&rfcomm_cb);
2202
2203         return err;
2204 }
2205
2206 static void __exit rfcomm_exit(void)
2207 {
2208         debugfs_remove(rfcomm_dlc_debugfs);
2209
2210         hci_unregister_cb(&rfcomm_cb);
2211
2212         kthread_stop(rfcomm_thread);
2213
2214         rfcomm_cleanup_ttys();
2215
2216         rfcomm_cleanup_sockets();
2217 }
2218
2219 module_init(rfcomm_init);
2220 module_exit(rfcomm_exit);
2221
2222 module_param(disable_cfc, bool, 0644);
2223 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2224
2225 module_param(channel_mtu, int, 0644);
2226 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2227
2228 module_param(l2cap_mtu, uint, 0644);
2229 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2230
2231 module_param(l2cap_ertm, bool, 0644);
2232 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2233
2234 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2235 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2236 MODULE_VERSION(VERSION);
2237 MODULE_LICENSE("GPL");
2238 MODULE_ALIAS("bt-proto-3");