Linux 3.3-rc6
[linux-2.6.git] / net / bluetooth / rfcomm / core.c
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25  * Bluetooth RFCOMM core.
26  */
27
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/kernel.h>
31 #include <linux/sched.h>
32 #include <linux/signal.h>
33 #include <linux/init.h>
34 #include <linux/wait.h>
35 #include <linux/device.h>
36 #include <linux/debugfs.h>
37 #include <linux/seq_file.h>
38 #include <linux/net.h>
39 #include <linux/mutex.h>
40 #include <linux/kthread.h>
41 #include <linux/slab.h>
42
43 #include <net/sock.h>
44 #include <linux/uaccess.h>
45 #include <asm/unaligned.h>
46
47 #include <net/bluetooth/bluetooth.h>
48 #include <net/bluetooth/hci_core.h>
49 #include <net/bluetooth/l2cap.h>
50 #include <net/bluetooth/rfcomm.h>
51
52 #define VERSION "1.11"
53
54 static bool disable_cfc;
55 static bool l2cap_ertm;
56 static int channel_mtu = -1;
57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
58
59 static struct task_struct *rfcomm_thread;
60
61 static DEFINE_MUTEX(rfcomm_mutex);
62 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
64
65
66 static LIST_HEAD(session_list);
67
68 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
69 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
70 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
71 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
72 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
73 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
74 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
75 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
76 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
77 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
78
79 static void rfcomm_process_connect(struct rfcomm_session *s);
80
81 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
82                                                         bdaddr_t *dst,
83                                                         u8 sec_level,
84                                                         int *err);
85 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
86 static void rfcomm_session_del(struct rfcomm_session *s);
87
88 /* ---- RFCOMM frame parsing macros ---- */
89 #define __get_dlci(b)     ((b & 0xfc) >> 2)
90 #define __get_channel(b)  ((b & 0xf8) >> 3)
91 #define __get_dir(b)      ((b & 0x04) >> 2)
92 #define __get_type(b)     ((b & 0xef))
93
94 #define __test_ea(b)      ((b & 0x01))
95 #define __test_cr(b)      ((b & 0x02))
96 #define __test_pf(b)      ((b & 0x10))
97
98 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
99 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
100 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
101 #define __srv_channel(dlci)    (dlci >> 1)
102 #define __dir(dlci)            (dlci & 0x01)
103
104 #define __len8(len)       (((len) << 1) | 1)
105 #define __len16(len)      ((len) << 1)
106
107 /* MCC macros */
108 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
109 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
110 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
111
112 /* RPN macros */
113 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
114 #define __get_rpn_data_bits(line) ((line) & 0x3)
115 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
116 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
117
118 static inline void rfcomm_schedule(void)
119 {
120         if (!rfcomm_thread)
121                 return;
122         wake_up_process(rfcomm_thread);
123 }
124
125 static inline void rfcomm_session_put(struct rfcomm_session *s)
126 {
127         if (atomic_dec_and_test(&s->refcnt))
128                 rfcomm_session_del(s);
129 }
130
131 /* ---- RFCOMM FCS computation ---- */
132
133 /* reversed, 8-bit, poly=0x07 */
134 static unsigned char rfcomm_crc_table[256] = {
135         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
136         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
137         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
138         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
139
140         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
141         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
142         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
143         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
144
145         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
146         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
147         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
148         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
149
150         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
151         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
152         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
153         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
154
155         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
156         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
157         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
158         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
159
160         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
161         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
162         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
163         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
164
165         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
166         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
167         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
168         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
169
170         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
171         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
172         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
173         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
174 };
175
176 /* CRC on 2 bytes */
177 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
178
179 /* FCS on 2 bytes */
180 static inline u8 __fcs(u8 *data)
181 {
182         return 0xff - __crc(data);
183 }
184
185 /* FCS on 3 bytes */
186 static inline u8 __fcs2(u8 *data)
187 {
188         return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
189 }
190
191 /* Check FCS */
192 static inline int __check_fcs(u8 *data, int type, u8 fcs)
193 {
194         u8 f = __crc(data);
195
196         if (type != RFCOMM_UIH)
197                 f = rfcomm_crc_table[f ^ data[2]];
198
199         return rfcomm_crc_table[f ^ fcs] != 0xcf;
200 }
201
202 /* ---- L2CAP callbacks ---- */
203 static void rfcomm_l2state_change(struct sock *sk)
204 {
205         BT_DBG("%p state %d", sk, sk->sk_state);
206         rfcomm_schedule();
207 }
208
209 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
210 {
211         BT_DBG("%p bytes %d", sk, bytes);
212         rfcomm_schedule();
213 }
214
215 static int rfcomm_l2sock_create(struct socket **sock)
216 {
217         int err;
218
219         BT_DBG("");
220
221         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
222         if (!err) {
223                 struct sock *sk = (*sock)->sk;
224                 sk->sk_data_ready   = rfcomm_l2data_ready;
225                 sk->sk_state_change = rfcomm_l2state_change;
226         }
227         return err;
228 }
229
230 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
231 {
232         struct sock *sk = d->session->sock->sk;
233         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
234
235         __u8 auth_type;
236
237         switch (d->sec_level) {
238         case BT_SECURITY_HIGH:
239                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
240                 break;
241         case BT_SECURITY_MEDIUM:
242                 auth_type = HCI_AT_GENERAL_BONDING;
243                 break;
244         default:
245                 auth_type = HCI_AT_NO_BONDING;
246                 break;
247         }
248
249         return hci_conn_security(conn->hcon, d->sec_level, auth_type);
250 }
251
252 static void rfcomm_session_timeout(unsigned long arg)
253 {
254         struct rfcomm_session *s = (void *) arg;
255
256         BT_DBG("session %p state %ld", s, s->state);
257
258         set_bit(RFCOMM_TIMED_OUT, &s->flags);
259         rfcomm_schedule();
260 }
261
262 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
263 {
264         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
265
266         if (!mod_timer(&s->timer, jiffies + timeout))
267                 rfcomm_session_hold(s);
268 }
269
270 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
271 {
272         BT_DBG("session %p state %ld", s, s->state);
273
274         if (timer_pending(&s->timer) && del_timer(&s->timer))
275                 rfcomm_session_put(s);
276 }
277
278 /* ---- RFCOMM DLCs ---- */
279 static void rfcomm_dlc_timeout(unsigned long arg)
280 {
281         struct rfcomm_dlc *d = (void *) arg;
282
283         BT_DBG("dlc %p state %ld", d, d->state);
284
285         set_bit(RFCOMM_TIMED_OUT, &d->flags);
286         rfcomm_dlc_put(d);
287         rfcomm_schedule();
288 }
289
290 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
291 {
292         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
293
294         if (!mod_timer(&d->timer, jiffies + timeout))
295                 rfcomm_dlc_hold(d);
296 }
297
298 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
299 {
300         BT_DBG("dlc %p state %ld", d, d->state);
301
302         if (timer_pending(&d->timer) && del_timer(&d->timer))
303                 rfcomm_dlc_put(d);
304 }
305
306 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
307 {
308         BT_DBG("%p", d);
309
310         d->state      = BT_OPEN;
311         d->flags      = 0;
312         d->mscex      = 0;
313         d->sec_level  = BT_SECURITY_LOW;
314         d->mtu        = RFCOMM_DEFAULT_MTU;
315         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
316
317         d->cfc        = RFCOMM_CFC_DISABLED;
318         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
319 }
320
321 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
322 {
323         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
324
325         if (!d)
326                 return NULL;
327
328         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
329
330         skb_queue_head_init(&d->tx_queue);
331         spin_lock_init(&d->lock);
332         atomic_set(&d->refcnt, 1);
333
334         rfcomm_dlc_clear_state(d);
335
336         BT_DBG("%p", d);
337
338         return d;
339 }
340
341 void rfcomm_dlc_free(struct rfcomm_dlc *d)
342 {
343         BT_DBG("%p", d);
344
345         skb_queue_purge(&d->tx_queue);
346         kfree(d);
347 }
348
349 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
350 {
351         BT_DBG("dlc %p session %p", d, s);
352
353         rfcomm_session_hold(s);
354
355         rfcomm_session_clear_timer(s);
356         rfcomm_dlc_hold(d);
357         list_add(&d->list, &s->dlcs);
358         d->session = s;
359 }
360
361 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
362 {
363         struct rfcomm_session *s = d->session;
364
365         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
366
367         list_del(&d->list);
368         d->session = NULL;
369         rfcomm_dlc_put(d);
370
371         if (list_empty(&s->dlcs))
372                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
373
374         rfcomm_session_put(s);
375 }
376
377 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
378 {
379         struct rfcomm_dlc *d;
380
381         list_for_each_entry(d, &s->dlcs, list)
382                 if (d->dlci == dlci)
383                         return d;
384
385         return NULL;
386 }
387
388 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
389 {
390         struct rfcomm_session *s;
391         int err = 0;
392         u8 dlci;
393
394         BT_DBG("dlc %p state %ld %s %s channel %d",
395                         d, d->state, batostr(src), batostr(dst), channel);
396
397         if (channel < 1 || channel > 30)
398                 return -EINVAL;
399
400         if (d->state != BT_OPEN && d->state != BT_CLOSED)
401                 return 0;
402
403         s = rfcomm_session_get(src, dst);
404         if (!s) {
405                 s = rfcomm_session_create(src, dst, d->sec_level, &err);
406                 if (!s)
407                         return err;
408         }
409
410         dlci = __dlci(!s->initiator, channel);
411
412         /* Check if DLCI already exists */
413         if (rfcomm_dlc_get(s, dlci))
414                 return -EBUSY;
415
416         rfcomm_dlc_clear_state(d);
417
418         d->dlci     = dlci;
419         d->addr     = __addr(s->initiator, dlci);
420         d->priority = 7;
421
422         d->state = BT_CONFIG;
423         rfcomm_dlc_link(s, d);
424
425         d->out = 1;
426
427         d->mtu = s->mtu;
428         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
429
430         if (s->state == BT_CONNECTED) {
431                 if (rfcomm_check_security(d))
432                         rfcomm_send_pn(s, 1, d);
433                 else
434                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
435         }
436
437         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
438
439         return 0;
440 }
441
442 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
443 {
444         int r;
445
446         rfcomm_lock();
447
448         r = __rfcomm_dlc_open(d, src, dst, channel);
449
450         rfcomm_unlock();
451         return r;
452 }
453
454 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
455 {
456         struct rfcomm_session *s = d->session;
457         if (!s)
458                 return 0;
459
460         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
461                         d, d->state, d->dlci, err, s);
462
463         switch (d->state) {
464         case BT_CONNECT:
465         case BT_CONFIG:
466                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
467                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
468                         rfcomm_schedule();
469                         break;
470                 }
471                 /* Fall through */
472
473         case BT_CONNECTED:
474                 d->state = BT_DISCONN;
475                 if (skb_queue_empty(&d->tx_queue)) {
476                         rfcomm_send_disc(s, d->dlci);
477                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
478                 } else {
479                         rfcomm_queue_disc(d);
480                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
481                 }
482                 break;
483
484         case BT_OPEN:
485         case BT_CONNECT2:
486                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
487                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
488                         rfcomm_schedule();
489                         break;
490                 }
491                 /* Fall through */
492
493         default:
494                 rfcomm_dlc_clear_timer(d);
495
496                 rfcomm_dlc_lock(d);
497                 d->state = BT_CLOSED;
498                 d->state_change(d, err);
499                 rfcomm_dlc_unlock(d);
500
501                 skb_queue_purge(&d->tx_queue);
502                 rfcomm_dlc_unlink(d);
503         }
504
505         return 0;
506 }
507
508 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
509 {
510         int r;
511
512         rfcomm_lock();
513
514         r = __rfcomm_dlc_close(d, err);
515
516         rfcomm_unlock();
517         return r;
518 }
519
520 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
521 {
522         int len = skb->len;
523
524         if (d->state != BT_CONNECTED)
525                 return -ENOTCONN;
526
527         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
528
529         if (len > d->mtu)
530                 return -EINVAL;
531
532         rfcomm_make_uih(skb, d->addr);
533         skb_queue_tail(&d->tx_queue, skb);
534
535         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
536                 rfcomm_schedule();
537         return len;
538 }
539
540 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
541 {
542         BT_DBG("dlc %p state %ld", d, d->state);
543
544         if (!d->cfc) {
545                 d->v24_sig |= RFCOMM_V24_FC;
546                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
547         }
548         rfcomm_schedule();
549 }
550
551 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
552 {
553         BT_DBG("dlc %p state %ld", d, d->state);
554
555         if (!d->cfc) {
556                 d->v24_sig &= ~RFCOMM_V24_FC;
557                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
558         }
559         rfcomm_schedule();
560 }
561
562 /*
563    Set/get modem status functions use _local_ status i.e. what we report
564    to the other side.
565    Remote status is provided by dlc->modem_status() callback.
566  */
567 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
568 {
569         BT_DBG("dlc %p state %ld v24_sig 0x%x",
570                         d, d->state, v24_sig);
571
572         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
573                 v24_sig |= RFCOMM_V24_FC;
574         else
575                 v24_sig &= ~RFCOMM_V24_FC;
576
577         d->v24_sig = v24_sig;
578
579         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
580                 rfcomm_schedule();
581
582         return 0;
583 }
584
585 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
586 {
587         BT_DBG("dlc %p state %ld v24_sig 0x%x",
588                         d, d->state, d->v24_sig);
589
590         *v24_sig = d->v24_sig;
591         return 0;
592 }
593
594 /* ---- RFCOMM sessions ---- */
595 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
596 {
597         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
598
599         if (!s)
600                 return NULL;
601
602         BT_DBG("session %p sock %p", s, sock);
603
604         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
605
606         INIT_LIST_HEAD(&s->dlcs);
607         s->state = state;
608         s->sock  = sock;
609
610         s->mtu = RFCOMM_DEFAULT_MTU;
611         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
612
613         /* Do not increment module usage count for listening sessions.
614          * Otherwise we won't be able to unload the module. */
615         if (state != BT_LISTEN)
616                 if (!try_module_get(THIS_MODULE)) {
617                         kfree(s);
618                         return NULL;
619                 }
620
621         list_add(&s->list, &session_list);
622
623         return s;
624 }
625
626 static void rfcomm_session_del(struct rfcomm_session *s)
627 {
628         int state = s->state;
629
630         BT_DBG("session %p state %ld", s, s->state);
631
632         list_del(&s->list);
633
634         if (state == BT_CONNECTED)
635                 rfcomm_send_disc(s, 0);
636
637         rfcomm_session_clear_timer(s);
638         sock_release(s->sock);
639         kfree(s);
640
641         if (state != BT_LISTEN)
642                 module_put(THIS_MODULE);
643 }
644
645 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
646 {
647         struct rfcomm_session *s;
648         struct list_head *p, *n;
649         struct bt_sock *sk;
650         list_for_each_safe(p, n, &session_list) {
651                 s = list_entry(p, struct rfcomm_session, list);
652                 sk = bt_sk(s->sock->sk);
653
654                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
655                                 !bacmp(&sk->dst, dst))
656                         return s;
657         }
658         return NULL;
659 }
660
661 static void rfcomm_session_close(struct rfcomm_session *s, int err)
662 {
663         struct rfcomm_dlc *d;
664         struct list_head *p, *n;
665
666         BT_DBG("session %p state %ld err %d", s, s->state, err);
667
668         rfcomm_session_hold(s);
669
670         s->state = BT_CLOSED;
671
672         /* Close all dlcs */
673         list_for_each_safe(p, n, &s->dlcs) {
674                 d = list_entry(p, struct rfcomm_dlc, list);
675                 d->state = BT_CLOSED;
676                 __rfcomm_dlc_close(d, err);
677         }
678
679         rfcomm_session_clear_timer(s);
680         rfcomm_session_put(s);
681 }
682
683 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
684                                                         bdaddr_t *dst,
685                                                         u8 sec_level,
686                                                         int *err)
687 {
688         struct rfcomm_session *s = NULL;
689         struct sockaddr_l2 addr;
690         struct socket *sock;
691         struct sock *sk;
692
693         BT_DBG("%s %s", batostr(src), batostr(dst));
694
695         *err = rfcomm_l2sock_create(&sock);
696         if (*err < 0)
697                 return NULL;
698
699         bacpy(&addr.l2_bdaddr, src);
700         addr.l2_family = AF_BLUETOOTH;
701         addr.l2_psm    = 0;
702         addr.l2_cid    = 0;
703         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
704         if (*err < 0)
705                 goto failed;
706
707         /* Set L2CAP options */
708         sk = sock->sk;
709         lock_sock(sk);
710         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
711         l2cap_pi(sk)->chan->sec_level = sec_level;
712         if (l2cap_ertm)
713                 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
714         release_sock(sk);
715
716         s = rfcomm_session_add(sock, BT_BOUND);
717         if (!s) {
718                 *err = -ENOMEM;
719                 goto failed;
720         }
721
722         s->initiator = 1;
723
724         bacpy(&addr.l2_bdaddr, dst);
725         addr.l2_family = AF_BLUETOOTH;
726         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
727         addr.l2_cid    = 0;
728         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
729         if (*err == 0 || *err == -EINPROGRESS)
730                 return s;
731
732         rfcomm_session_del(s);
733         return NULL;
734
735 failed:
736         sock_release(sock);
737         return NULL;
738 }
739
740 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
741 {
742         struct sock *sk = s->sock->sk;
743         if (src)
744                 bacpy(src, &bt_sk(sk)->src);
745         if (dst)
746                 bacpy(dst, &bt_sk(sk)->dst);
747 }
748
749 /* ---- RFCOMM frame sending ---- */
750 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
751 {
752         struct kvec iv = { data, len };
753         struct msghdr msg;
754
755         BT_DBG("session %p len %d", s, len);
756
757         memset(&msg, 0, sizeof(msg));
758
759         return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
760 }
761
762 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
763 {
764         BT_DBG("%p cmd %u", s, cmd->ctrl);
765
766         return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
767 }
768
769 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
770 {
771         struct rfcomm_cmd cmd;
772
773         BT_DBG("%p dlci %d", s, dlci);
774
775         cmd.addr = __addr(s->initiator, dlci);
776         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
777         cmd.len  = __len8(0);
778         cmd.fcs  = __fcs2((u8 *) &cmd);
779
780         return rfcomm_send_cmd(s, &cmd);
781 }
782
783 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
784 {
785         struct rfcomm_cmd cmd;
786
787         BT_DBG("%p dlci %d", s, dlci);
788
789         cmd.addr = __addr(!s->initiator, dlci);
790         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
791         cmd.len  = __len8(0);
792         cmd.fcs  = __fcs2((u8 *) &cmd);
793
794         return rfcomm_send_cmd(s, &cmd);
795 }
796
797 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
798 {
799         struct rfcomm_cmd cmd;
800
801         BT_DBG("%p dlci %d", s, dlci);
802
803         cmd.addr = __addr(s->initiator, dlci);
804         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
805         cmd.len  = __len8(0);
806         cmd.fcs  = __fcs2((u8 *) &cmd);
807
808         return rfcomm_send_cmd(s, &cmd);
809 }
810
811 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
812 {
813         struct rfcomm_cmd *cmd;
814         struct sk_buff *skb;
815
816         BT_DBG("dlc %p dlci %d", d, d->dlci);
817
818         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
819         if (!skb)
820                 return -ENOMEM;
821
822         cmd = (void *) __skb_put(skb, sizeof(*cmd));
823         cmd->addr = d->addr;
824         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
825         cmd->len  = __len8(0);
826         cmd->fcs  = __fcs2((u8 *) cmd);
827
828         skb_queue_tail(&d->tx_queue, skb);
829         rfcomm_schedule();
830         return 0;
831 }
832
833 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
834 {
835         struct rfcomm_cmd cmd;
836
837         BT_DBG("%p dlci %d", s, dlci);
838
839         cmd.addr = __addr(!s->initiator, dlci);
840         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
841         cmd.len  = __len8(0);
842         cmd.fcs  = __fcs2((u8 *) &cmd);
843
844         return rfcomm_send_cmd(s, &cmd);
845 }
846
847 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
848 {
849         struct rfcomm_hdr *hdr;
850         struct rfcomm_mcc *mcc;
851         u8 buf[16], *ptr = buf;
852
853         BT_DBG("%p cr %d type %d", s, cr, type);
854
855         hdr = (void *) ptr; ptr += sizeof(*hdr);
856         hdr->addr = __addr(s->initiator, 0);
857         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
858         hdr->len  = __len8(sizeof(*mcc) + 1);
859
860         mcc = (void *) ptr; ptr += sizeof(*mcc);
861         mcc->type = __mcc_type(cr, RFCOMM_NSC);
862         mcc->len  = __len8(1);
863
864         /* Type that we didn't like */
865         *ptr = __mcc_type(cr, type); ptr++;
866
867         *ptr = __fcs(buf); ptr++;
868
869         return rfcomm_send_frame(s, buf, ptr - buf);
870 }
871
872 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
873 {
874         struct rfcomm_hdr *hdr;
875         struct rfcomm_mcc *mcc;
876         struct rfcomm_pn  *pn;
877         u8 buf[16], *ptr = buf;
878
879         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
880
881         hdr = (void *) ptr; ptr += sizeof(*hdr);
882         hdr->addr = __addr(s->initiator, 0);
883         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
884         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
885
886         mcc = (void *) ptr; ptr += sizeof(*mcc);
887         mcc->type = __mcc_type(cr, RFCOMM_PN);
888         mcc->len  = __len8(sizeof(*pn));
889
890         pn = (void *) ptr; ptr += sizeof(*pn);
891         pn->dlci        = d->dlci;
892         pn->priority    = d->priority;
893         pn->ack_timer   = 0;
894         pn->max_retrans = 0;
895
896         if (s->cfc) {
897                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
898                 pn->credits = RFCOMM_DEFAULT_CREDITS;
899         } else {
900                 pn->flow_ctrl = 0;
901                 pn->credits   = 0;
902         }
903
904         if (cr && channel_mtu >= 0)
905                 pn->mtu = cpu_to_le16(channel_mtu);
906         else
907                 pn->mtu = cpu_to_le16(d->mtu);
908
909         *ptr = __fcs(buf); ptr++;
910
911         return rfcomm_send_frame(s, buf, ptr - buf);
912 }
913
914 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
915                         u8 bit_rate, u8 data_bits, u8 stop_bits,
916                         u8 parity, u8 flow_ctrl_settings,
917                         u8 xon_char, u8 xoff_char, u16 param_mask)
918 {
919         struct rfcomm_hdr *hdr;
920         struct rfcomm_mcc *mcc;
921         struct rfcomm_rpn *rpn;
922         u8 buf[16], *ptr = buf;
923
924         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
925                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
926                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
927                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
928
929         hdr = (void *) ptr; ptr += sizeof(*hdr);
930         hdr->addr = __addr(s->initiator, 0);
931         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
932         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
933
934         mcc = (void *) ptr; ptr += sizeof(*mcc);
935         mcc->type = __mcc_type(cr, RFCOMM_RPN);
936         mcc->len  = __len8(sizeof(*rpn));
937
938         rpn = (void *) ptr; ptr += sizeof(*rpn);
939         rpn->dlci          = __addr(1, dlci);
940         rpn->bit_rate      = bit_rate;
941         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
942         rpn->flow_ctrl     = flow_ctrl_settings;
943         rpn->xon_char      = xon_char;
944         rpn->xoff_char     = xoff_char;
945         rpn->param_mask    = cpu_to_le16(param_mask);
946
947         *ptr = __fcs(buf); ptr++;
948
949         return rfcomm_send_frame(s, buf, ptr - buf);
950 }
951
952 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
953 {
954         struct rfcomm_hdr *hdr;
955         struct rfcomm_mcc *mcc;
956         struct rfcomm_rls *rls;
957         u8 buf[16], *ptr = buf;
958
959         BT_DBG("%p cr %d status 0x%x", s, cr, status);
960
961         hdr = (void *) ptr; ptr += sizeof(*hdr);
962         hdr->addr = __addr(s->initiator, 0);
963         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
964         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
965
966         mcc = (void *) ptr; ptr += sizeof(*mcc);
967         mcc->type = __mcc_type(cr, RFCOMM_RLS);
968         mcc->len  = __len8(sizeof(*rls));
969
970         rls = (void *) ptr; ptr += sizeof(*rls);
971         rls->dlci   = __addr(1, dlci);
972         rls->status = status;
973
974         *ptr = __fcs(buf); ptr++;
975
976         return rfcomm_send_frame(s, buf, ptr - buf);
977 }
978
979 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
980 {
981         struct rfcomm_hdr *hdr;
982         struct rfcomm_mcc *mcc;
983         struct rfcomm_msc *msc;
984         u8 buf[16], *ptr = buf;
985
986         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
987
988         hdr = (void *) ptr; ptr += sizeof(*hdr);
989         hdr->addr = __addr(s->initiator, 0);
990         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
991         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
992
993         mcc = (void *) ptr; ptr += sizeof(*mcc);
994         mcc->type = __mcc_type(cr, RFCOMM_MSC);
995         mcc->len  = __len8(sizeof(*msc));
996
997         msc = (void *) ptr; ptr += sizeof(*msc);
998         msc->dlci    = __addr(1, dlci);
999         msc->v24_sig = v24_sig | 0x01;
1000
1001         *ptr = __fcs(buf); ptr++;
1002
1003         return rfcomm_send_frame(s, buf, ptr - buf);
1004 }
1005
1006 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1007 {
1008         struct rfcomm_hdr *hdr;
1009         struct rfcomm_mcc *mcc;
1010         u8 buf[16], *ptr = buf;
1011
1012         BT_DBG("%p cr %d", s, cr);
1013
1014         hdr = (void *) ptr; ptr += sizeof(*hdr);
1015         hdr->addr = __addr(s->initiator, 0);
1016         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1017         hdr->len  = __len8(sizeof(*mcc));
1018
1019         mcc = (void *) ptr; ptr += sizeof(*mcc);
1020         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1021         mcc->len  = __len8(0);
1022
1023         *ptr = __fcs(buf); ptr++;
1024
1025         return rfcomm_send_frame(s, buf, ptr - buf);
1026 }
1027
1028 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1029 {
1030         struct rfcomm_hdr *hdr;
1031         struct rfcomm_mcc *mcc;
1032         u8 buf[16], *ptr = buf;
1033
1034         BT_DBG("%p cr %d", s, cr);
1035
1036         hdr = (void *) ptr; ptr += sizeof(*hdr);
1037         hdr->addr = __addr(s->initiator, 0);
1038         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1039         hdr->len  = __len8(sizeof(*mcc));
1040
1041         mcc = (void *) ptr; ptr += sizeof(*mcc);
1042         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1043         mcc->len  = __len8(0);
1044
1045         *ptr = __fcs(buf); ptr++;
1046
1047         return rfcomm_send_frame(s, buf, ptr - buf);
1048 }
1049
1050 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1051 {
1052         struct socket *sock = s->sock;
1053         struct kvec iv[3];
1054         struct msghdr msg;
1055         unsigned char hdr[5], crc[1];
1056
1057         if (len > 125)
1058                 return -EINVAL;
1059
1060         BT_DBG("%p cr %d", s, cr);
1061
1062         hdr[0] = __addr(s->initiator, 0);
1063         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1064         hdr[2] = 0x01 | ((len + 2) << 1);
1065         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1066         hdr[4] = 0x01 | (len << 1);
1067
1068         crc[0] = __fcs(hdr);
1069
1070         iv[0].iov_base = hdr;
1071         iv[0].iov_len  = 5;
1072         iv[1].iov_base = pattern;
1073         iv[1].iov_len  = len;
1074         iv[2].iov_base = crc;
1075         iv[2].iov_len  = 1;
1076
1077         memset(&msg, 0, sizeof(msg));
1078
1079         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1080 }
1081
1082 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1083 {
1084         struct rfcomm_hdr *hdr;
1085         u8 buf[16], *ptr = buf;
1086
1087         BT_DBG("%p addr %d credits %d", s, addr, credits);
1088
1089         hdr = (void *) ptr; ptr += sizeof(*hdr);
1090         hdr->addr = addr;
1091         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1092         hdr->len  = __len8(0);
1093
1094         *ptr = credits; ptr++;
1095
1096         *ptr = __fcs(buf); ptr++;
1097
1098         return rfcomm_send_frame(s, buf, ptr - buf);
1099 }
1100
1101 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1102 {
1103         struct rfcomm_hdr *hdr;
1104         int len = skb->len;
1105         u8 *crc;
1106
1107         if (len > 127) {
1108                 hdr = (void *) skb_push(skb, 4);
1109                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1110         } else {
1111                 hdr = (void *) skb_push(skb, 3);
1112                 hdr->len = __len8(len);
1113         }
1114         hdr->addr = addr;
1115         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1116
1117         crc = skb_put(skb, 1);
1118         *crc = __fcs((void *) hdr);
1119 }
1120
1121 /* ---- RFCOMM frame reception ---- */
1122 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1123 {
1124         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1125
1126         if (dlci) {
1127                 /* Data channel */
1128                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1129                 if (!d) {
1130                         rfcomm_send_dm(s, dlci);
1131                         return 0;
1132                 }
1133
1134                 switch (d->state) {
1135                 case BT_CONNECT:
1136                         rfcomm_dlc_clear_timer(d);
1137
1138                         rfcomm_dlc_lock(d);
1139                         d->state = BT_CONNECTED;
1140                         d->state_change(d, 0);
1141                         rfcomm_dlc_unlock(d);
1142
1143                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1144                         break;
1145
1146                 case BT_DISCONN:
1147                         d->state = BT_CLOSED;
1148                         __rfcomm_dlc_close(d, 0);
1149
1150                         if (list_empty(&s->dlcs)) {
1151                                 s->state = BT_DISCONN;
1152                                 rfcomm_send_disc(s, 0);
1153                                 rfcomm_session_clear_timer(s);
1154                         }
1155
1156                         break;
1157                 }
1158         } else {
1159                 /* Control channel */
1160                 switch (s->state) {
1161                 case BT_CONNECT:
1162                         s->state = BT_CONNECTED;
1163                         rfcomm_process_connect(s);
1164                         break;
1165
1166                 case BT_DISCONN:
1167                         /* rfcomm_session_put is called later so don't do
1168                          * anything here otherwise we will mess up the session
1169                          * reference counter:
1170                          *
1171                          * (a) when we are the initiator dlc_unlink will drive
1172                          * the reference counter to 0 (there is no initial put
1173                          * after session_add)
1174                          *
1175                          * (b) when we are not the initiator rfcomm_rx_process
1176                          * will explicitly call put to balance the initial hold
1177                          * done after session add.
1178                          */
1179                         break;
1180                 }
1181         }
1182         return 0;
1183 }
1184
1185 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1186 {
1187         int err = 0;
1188
1189         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1190
1191         if (dlci) {
1192                 /* Data DLC */
1193                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1194                 if (d) {
1195                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1196                                 err = ECONNREFUSED;
1197                         else
1198                                 err = ECONNRESET;
1199
1200                         d->state = BT_CLOSED;
1201                         __rfcomm_dlc_close(d, err);
1202                 }
1203         } else {
1204                 if (s->state == BT_CONNECT)
1205                         err = ECONNREFUSED;
1206                 else
1207                         err = ECONNRESET;
1208
1209                 s->state = BT_CLOSED;
1210                 rfcomm_session_close(s, err);
1211         }
1212         return 0;
1213 }
1214
1215 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1216 {
1217         int err = 0;
1218
1219         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1220
1221         if (dlci) {
1222                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1223                 if (d) {
1224                         rfcomm_send_ua(s, dlci);
1225
1226                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1227                                 err = ECONNREFUSED;
1228                         else
1229                                 err = ECONNRESET;
1230
1231                         d->state = BT_CLOSED;
1232                         __rfcomm_dlc_close(d, err);
1233                 } else
1234                         rfcomm_send_dm(s, dlci);
1235
1236         } else {
1237                 rfcomm_send_ua(s, 0);
1238
1239                 if (s->state == BT_CONNECT)
1240                         err = ECONNREFUSED;
1241                 else
1242                         err = ECONNRESET;
1243
1244                 s->state = BT_CLOSED;
1245                 rfcomm_session_close(s, err);
1246         }
1247
1248         return 0;
1249 }
1250
1251 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1252 {
1253         struct sock *sk = d->session->sock->sk;
1254         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1255
1256         BT_DBG("dlc %p", d);
1257
1258         rfcomm_send_ua(d->session, d->dlci);
1259
1260         rfcomm_dlc_clear_timer(d);
1261
1262         rfcomm_dlc_lock(d);
1263         d->state = BT_CONNECTED;
1264         d->state_change(d, 0);
1265         rfcomm_dlc_unlock(d);
1266
1267         if (d->role_switch)
1268                 hci_conn_switch_role(conn->hcon, 0x00);
1269
1270         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1271 }
1272
1273 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1274 {
1275         if (rfcomm_check_security(d)) {
1276                 if (d->defer_setup) {
1277                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1278                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1279
1280                         rfcomm_dlc_lock(d);
1281                         d->state = BT_CONNECT2;
1282                         d->state_change(d, 0);
1283                         rfcomm_dlc_unlock(d);
1284                 } else
1285                         rfcomm_dlc_accept(d);
1286         } else {
1287                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1288                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1289         }
1290 }
1291
1292 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1293 {
1294         struct rfcomm_dlc *d;
1295         u8 channel;
1296
1297         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1298
1299         if (!dlci) {
1300                 rfcomm_send_ua(s, 0);
1301
1302                 if (s->state == BT_OPEN) {
1303                         s->state = BT_CONNECTED;
1304                         rfcomm_process_connect(s);
1305                 }
1306                 return 0;
1307         }
1308
1309         /* Check if DLC exists */
1310         d = rfcomm_dlc_get(s, dlci);
1311         if (d) {
1312                 if (d->state == BT_OPEN) {
1313                         /* DLC was previously opened by PN request */
1314                         rfcomm_check_accept(d);
1315                 }
1316                 return 0;
1317         }
1318
1319         /* Notify socket layer about incoming connection */
1320         channel = __srv_channel(dlci);
1321         if (rfcomm_connect_ind(s, channel, &d)) {
1322                 d->dlci = dlci;
1323                 d->addr = __addr(s->initiator, dlci);
1324                 rfcomm_dlc_link(s, d);
1325
1326                 rfcomm_check_accept(d);
1327         } else {
1328                 rfcomm_send_dm(s, dlci);
1329         }
1330
1331         return 0;
1332 }
1333
1334 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1335 {
1336         struct rfcomm_session *s = d->session;
1337
1338         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1339                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1340
1341         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1342                                                 pn->flow_ctrl == 0xe0) {
1343                 d->cfc = RFCOMM_CFC_ENABLED;
1344                 d->tx_credits = pn->credits;
1345         } else {
1346                 d->cfc = RFCOMM_CFC_DISABLED;
1347                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1348         }
1349
1350         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1351                 s->cfc = d->cfc;
1352
1353         d->priority = pn->priority;
1354
1355         d->mtu = __le16_to_cpu(pn->mtu);
1356
1357         if (cr && d->mtu > s->mtu)
1358                 d->mtu = s->mtu;
1359
1360         return 0;
1361 }
1362
1363 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1364 {
1365         struct rfcomm_pn *pn = (void *) skb->data;
1366         struct rfcomm_dlc *d;
1367         u8 dlci = pn->dlci;
1368
1369         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1370
1371         if (!dlci)
1372                 return 0;
1373
1374         d = rfcomm_dlc_get(s, dlci);
1375         if (d) {
1376                 if (cr) {
1377                         /* PN request */
1378                         rfcomm_apply_pn(d, cr, pn);
1379                         rfcomm_send_pn(s, 0, d);
1380                 } else {
1381                         /* PN response */
1382                         switch (d->state) {
1383                         case BT_CONFIG:
1384                                 rfcomm_apply_pn(d, cr, pn);
1385
1386                                 d->state = BT_CONNECT;
1387                                 rfcomm_send_sabm(s, d->dlci);
1388                                 break;
1389                         }
1390                 }
1391         } else {
1392                 u8 channel = __srv_channel(dlci);
1393
1394                 if (!cr)
1395                         return 0;
1396
1397                 /* PN request for non existing DLC.
1398                  * Assume incoming connection. */
1399                 if (rfcomm_connect_ind(s, channel, &d)) {
1400                         d->dlci = dlci;
1401                         d->addr = __addr(s->initiator, dlci);
1402                         rfcomm_dlc_link(s, d);
1403
1404                         rfcomm_apply_pn(d, cr, pn);
1405
1406                         d->state = BT_OPEN;
1407                         rfcomm_send_pn(s, 0, d);
1408                 } else {
1409                         rfcomm_send_dm(s, dlci);
1410                 }
1411         }
1412         return 0;
1413 }
1414
1415 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1416 {
1417         struct rfcomm_rpn *rpn = (void *) skb->data;
1418         u8 dlci = __get_dlci(rpn->dlci);
1419
1420         u8 bit_rate  = 0;
1421         u8 data_bits = 0;
1422         u8 stop_bits = 0;
1423         u8 parity    = 0;
1424         u8 flow_ctrl = 0;
1425         u8 xon_char  = 0;
1426         u8 xoff_char = 0;
1427         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1428
1429         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1430                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1431                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1432
1433         if (!cr)
1434                 return 0;
1435
1436         if (len == 1) {
1437                 /* This is a request, return default (according to ETSI TS 07.10) settings */
1438                 bit_rate  = RFCOMM_RPN_BR_9600;
1439                 data_bits = RFCOMM_RPN_DATA_8;
1440                 stop_bits = RFCOMM_RPN_STOP_1;
1441                 parity    = RFCOMM_RPN_PARITY_NONE;
1442                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1443                 xon_char  = RFCOMM_RPN_XON_CHAR;
1444                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1445                 goto rpn_out;
1446         }
1447
1448         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1449          * no parity, no flow control lines, normal XON/XOFF chars */
1450
1451         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1452                 bit_rate = rpn->bit_rate;
1453                 if (bit_rate > RFCOMM_RPN_BR_230400) {
1454                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1455                         bit_rate = RFCOMM_RPN_BR_9600;
1456                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1457                 }
1458         }
1459
1460         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1461                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1462                 if (data_bits != RFCOMM_RPN_DATA_8) {
1463                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1464                         data_bits = RFCOMM_RPN_DATA_8;
1465                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1466                 }
1467         }
1468
1469         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1470                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1471                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1472                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1473                         stop_bits = RFCOMM_RPN_STOP_1;
1474                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1475                 }
1476         }
1477
1478         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1479                 parity = __get_rpn_parity(rpn->line_settings);
1480                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1481                         BT_DBG("RPN parity mismatch 0x%x", parity);
1482                         parity = RFCOMM_RPN_PARITY_NONE;
1483                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1484                 }
1485         }
1486
1487         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1488                 flow_ctrl = rpn->flow_ctrl;
1489                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1490                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1491                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1492                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1493                 }
1494         }
1495
1496         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1497                 xon_char = rpn->xon_char;
1498                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1499                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1500                         xon_char = RFCOMM_RPN_XON_CHAR;
1501                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1502                 }
1503         }
1504
1505         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1506                 xoff_char = rpn->xoff_char;
1507                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1508                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1509                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1510                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1511                 }
1512         }
1513
1514 rpn_out:
1515         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1516                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1517
1518         return 0;
1519 }
1520
1521 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1522 {
1523         struct rfcomm_rls *rls = (void *) skb->data;
1524         u8 dlci = __get_dlci(rls->dlci);
1525
1526         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1527
1528         if (!cr)
1529                 return 0;
1530
1531         /* We should probably do something with this information here. But
1532          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1533          * mandatory to recognise and respond to RLS */
1534
1535         rfcomm_send_rls(s, 0, dlci, rls->status);
1536
1537         return 0;
1538 }
1539
1540 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1541 {
1542         struct rfcomm_msc *msc = (void *) skb->data;
1543         struct rfcomm_dlc *d;
1544         u8 dlci = __get_dlci(msc->dlci);
1545
1546         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1547
1548         d = rfcomm_dlc_get(s, dlci);
1549         if (!d)
1550                 return 0;
1551
1552         if (cr) {
1553                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1554                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1555                 else
1556                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1557
1558                 rfcomm_dlc_lock(d);
1559
1560                 d->remote_v24_sig = msc->v24_sig;
1561
1562                 if (d->modem_status)
1563                         d->modem_status(d, msc->v24_sig);
1564
1565                 rfcomm_dlc_unlock(d);
1566
1567                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1568
1569                 d->mscex |= RFCOMM_MSCEX_RX;
1570         } else
1571                 d->mscex |= RFCOMM_MSCEX_TX;
1572
1573         return 0;
1574 }
1575
1576 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1577 {
1578         struct rfcomm_mcc *mcc = (void *) skb->data;
1579         u8 type, cr, len;
1580
1581         cr   = __test_cr(mcc->type);
1582         type = __get_mcc_type(mcc->type);
1583         len  = __get_mcc_len(mcc->len);
1584
1585         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1586
1587         skb_pull(skb, 2);
1588
1589         switch (type) {
1590         case RFCOMM_PN:
1591                 rfcomm_recv_pn(s, cr, skb);
1592                 break;
1593
1594         case RFCOMM_RPN:
1595                 rfcomm_recv_rpn(s, cr, len, skb);
1596                 break;
1597
1598         case RFCOMM_RLS:
1599                 rfcomm_recv_rls(s, cr, skb);
1600                 break;
1601
1602         case RFCOMM_MSC:
1603                 rfcomm_recv_msc(s, cr, skb);
1604                 break;
1605
1606         case RFCOMM_FCOFF:
1607                 if (cr) {
1608                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1609                         rfcomm_send_fcoff(s, 0);
1610                 }
1611                 break;
1612
1613         case RFCOMM_FCON:
1614                 if (cr) {
1615                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1616                         rfcomm_send_fcon(s, 0);
1617                 }
1618                 break;
1619
1620         case RFCOMM_TEST:
1621                 if (cr)
1622                         rfcomm_send_test(s, 0, skb->data, skb->len);
1623                 break;
1624
1625         case RFCOMM_NSC:
1626                 break;
1627
1628         default:
1629                 BT_ERR("Unknown control type 0x%02x", type);
1630                 rfcomm_send_nsc(s, cr, type);
1631                 break;
1632         }
1633         return 0;
1634 }
1635
1636 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1637 {
1638         struct rfcomm_dlc *d;
1639
1640         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1641
1642         d = rfcomm_dlc_get(s, dlci);
1643         if (!d) {
1644                 rfcomm_send_dm(s, dlci);
1645                 goto drop;
1646         }
1647
1648         if (pf && d->cfc) {
1649                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1650
1651                 d->tx_credits += credits;
1652                 if (d->tx_credits)
1653                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1654         }
1655
1656         if (skb->len && d->state == BT_CONNECTED) {
1657                 rfcomm_dlc_lock(d);
1658                 d->rx_credits--;
1659                 d->data_ready(d, skb);
1660                 rfcomm_dlc_unlock(d);
1661                 return 0;
1662         }
1663
1664 drop:
1665         kfree_skb(skb);
1666         return 0;
1667 }
1668
1669 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1670 {
1671         struct rfcomm_hdr *hdr = (void *) skb->data;
1672         u8 type, dlci, fcs;
1673
1674         dlci = __get_dlci(hdr->addr);
1675         type = __get_type(hdr->ctrl);
1676
1677         /* Trim FCS */
1678         skb->len--; skb->tail--;
1679         fcs = *(u8 *)skb_tail_pointer(skb);
1680
1681         if (__check_fcs(skb->data, type, fcs)) {
1682                 BT_ERR("bad checksum in packet");
1683                 kfree_skb(skb);
1684                 return -EILSEQ;
1685         }
1686
1687         if (__test_ea(hdr->len))
1688                 skb_pull(skb, 3);
1689         else
1690                 skb_pull(skb, 4);
1691
1692         switch (type) {
1693         case RFCOMM_SABM:
1694                 if (__test_pf(hdr->ctrl))
1695                         rfcomm_recv_sabm(s, dlci);
1696                 break;
1697
1698         case RFCOMM_DISC:
1699                 if (__test_pf(hdr->ctrl))
1700                         rfcomm_recv_disc(s, dlci);
1701                 break;
1702
1703         case RFCOMM_UA:
1704                 if (__test_pf(hdr->ctrl))
1705                         rfcomm_recv_ua(s, dlci);
1706                 break;
1707
1708         case RFCOMM_DM:
1709                 rfcomm_recv_dm(s, dlci);
1710                 break;
1711
1712         case RFCOMM_UIH:
1713                 if (dlci)
1714                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1715
1716                 rfcomm_recv_mcc(s, skb);
1717                 break;
1718
1719         default:
1720                 BT_ERR("Unknown packet type 0x%02x", type);
1721                 break;
1722         }
1723         kfree_skb(skb);
1724         return 0;
1725 }
1726
1727 /* ---- Connection and data processing ---- */
1728
1729 static void rfcomm_process_connect(struct rfcomm_session *s)
1730 {
1731         struct rfcomm_dlc *d;
1732         struct list_head *p, *n;
1733
1734         BT_DBG("session %p state %ld", s, s->state);
1735
1736         list_for_each_safe(p, n, &s->dlcs) {
1737                 d = list_entry(p, struct rfcomm_dlc, list);
1738                 if (d->state == BT_CONFIG) {
1739                         d->mtu = s->mtu;
1740                         if (rfcomm_check_security(d)) {
1741                                 rfcomm_send_pn(s, 1, d);
1742                         } else {
1743                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1744                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1745                         }
1746                 }
1747         }
1748 }
1749
1750 /* Send data queued for the DLC.
1751  * Return number of frames left in the queue.
1752  */
1753 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1754 {
1755         struct sk_buff *skb;
1756         int err;
1757
1758         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1759                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1760
1761         /* Send pending MSC */
1762         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1763                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1764
1765         if (d->cfc) {
1766                 /* CFC enabled.
1767                  * Give them some credits */
1768                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1769                                 d->rx_credits <= (d->cfc >> 2)) {
1770                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1771                         d->rx_credits = d->cfc;
1772                 }
1773         } else {
1774                 /* CFC disabled.
1775                  * Give ourselves some credits */
1776                 d->tx_credits = 5;
1777         }
1778
1779         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1780                 return skb_queue_len(&d->tx_queue);
1781
1782         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1783                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1784                 if (err < 0) {
1785                         skb_queue_head(&d->tx_queue, skb);
1786                         break;
1787                 }
1788                 kfree_skb(skb);
1789                 d->tx_credits--;
1790         }
1791
1792         if (d->cfc && !d->tx_credits) {
1793                 /* We're out of TX credits.
1794                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1795                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1796         }
1797
1798         return skb_queue_len(&d->tx_queue);
1799 }
1800
1801 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1802 {
1803         struct rfcomm_dlc *d;
1804         struct list_head *p, *n;
1805
1806         BT_DBG("session %p state %ld", s, s->state);
1807
1808         list_for_each_safe(p, n, &s->dlcs) {
1809                 d = list_entry(p, struct rfcomm_dlc, list);
1810
1811                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1812                         __rfcomm_dlc_close(d, ETIMEDOUT);
1813                         continue;
1814                 }
1815
1816                 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1817                         __rfcomm_dlc_close(d, ECONNREFUSED);
1818                         continue;
1819                 }
1820
1821                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1822                         rfcomm_dlc_clear_timer(d);
1823                         if (d->out) {
1824                                 rfcomm_send_pn(s, 1, d);
1825                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1826                         } else {
1827                                 if (d->defer_setup) {
1828                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1829                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1830
1831                                         rfcomm_dlc_lock(d);
1832                                         d->state = BT_CONNECT2;
1833                                         d->state_change(d, 0);
1834                                         rfcomm_dlc_unlock(d);
1835                                 } else
1836                                         rfcomm_dlc_accept(d);
1837                         }
1838                         continue;
1839                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1840                         rfcomm_dlc_clear_timer(d);
1841                         if (!d->out)
1842                                 rfcomm_send_dm(s, d->dlci);
1843                         else
1844                                 d->state = BT_CLOSED;
1845                         __rfcomm_dlc_close(d, ECONNREFUSED);
1846                         continue;
1847                 }
1848
1849                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1850                         continue;
1851
1852                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1853                         continue;
1854
1855                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1856                                                 d->mscex == RFCOMM_MSCEX_OK)
1857                         rfcomm_process_tx(d);
1858         }
1859 }
1860
1861 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1862 {
1863         struct socket *sock = s->sock;
1864         struct sock *sk = sock->sk;
1865         struct sk_buff *skb;
1866
1867         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1868
1869         /* Get data directly from socket receive queue without copying it. */
1870         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1871                 skb_orphan(skb);
1872                 if (!skb_linearize(skb))
1873                         rfcomm_recv_frame(s, skb);
1874                 else
1875                         kfree_skb(skb);
1876         }
1877
1878         if (sk->sk_state == BT_CLOSED) {
1879                 if (!s->initiator)
1880                         rfcomm_session_put(s);
1881
1882                 rfcomm_session_close(s, sk->sk_err);
1883         }
1884 }
1885
1886 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1887 {
1888         struct socket *sock = s->sock, *nsock;
1889         int err;
1890
1891         /* Fast check for a new connection.
1892          * Avoids unnesesary socket allocations. */
1893         if (list_empty(&bt_sk(sock->sk)->accept_q))
1894                 return;
1895
1896         BT_DBG("session %p", s);
1897
1898         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1899         if (err < 0)
1900                 return;
1901
1902         /* Set our callbacks */
1903         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1904         nsock->sk->sk_state_change = rfcomm_l2state_change;
1905
1906         s = rfcomm_session_add(nsock, BT_OPEN);
1907         if (s) {
1908                 rfcomm_session_hold(s);
1909
1910                 /* We should adjust MTU on incoming sessions.
1911                  * L2CAP MTU minus UIH header and FCS. */
1912                 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1913                                 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1914
1915                 rfcomm_schedule();
1916         } else
1917                 sock_release(nsock);
1918 }
1919
1920 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1921 {
1922         struct sock *sk = s->sock->sk;
1923
1924         BT_DBG("%p state %ld", s, s->state);
1925
1926         switch (sk->sk_state) {
1927         case BT_CONNECTED:
1928                 s->state = BT_CONNECT;
1929
1930                 /* We can adjust MTU on outgoing sessions.
1931                  * L2CAP MTU minus UIH header and FCS. */
1932                 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1933
1934                 rfcomm_send_sabm(s, 0);
1935                 break;
1936
1937         case BT_CLOSED:
1938                 s->state = BT_CLOSED;
1939                 rfcomm_session_close(s, sk->sk_err);
1940                 break;
1941         }
1942 }
1943
1944 static inline void rfcomm_process_sessions(void)
1945 {
1946         struct list_head *p, *n;
1947
1948         rfcomm_lock();
1949
1950         list_for_each_safe(p, n, &session_list) {
1951                 struct rfcomm_session *s;
1952                 s = list_entry(p, struct rfcomm_session, list);
1953
1954                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1955                         s->state = BT_DISCONN;
1956                         rfcomm_send_disc(s, 0);
1957                         rfcomm_session_put(s);
1958                         continue;
1959                 }
1960
1961                 if (s->state == BT_LISTEN) {
1962                         rfcomm_accept_connection(s);
1963                         continue;
1964                 }
1965
1966                 rfcomm_session_hold(s);
1967
1968                 switch (s->state) {
1969                 case BT_BOUND:
1970                         rfcomm_check_connection(s);
1971                         break;
1972
1973                 default:
1974                         rfcomm_process_rx(s);
1975                         break;
1976                 }
1977
1978                 rfcomm_process_dlcs(s);
1979
1980                 rfcomm_session_put(s);
1981         }
1982
1983         rfcomm_unlock();
1984 }
1985
1986 static int rfcomm_add_listener(bdaddr_t *ba)
1987 {
1988         struct sockaddr_l2 addr;
1989         struct socket *sock;
1990         struct sock *sk;
1991         struct rfcomm_session *s;
1992         int    err = 0;
1993
1994         /* Create socket */
1995         err = rfcomm_l2sock_create(&sock);
1996         if (err < 0) {
1997                 BT_ERR("Create socket failed %d", err);
1998                 return err;
1999         }
2000
2001         /* Bind socket */
2002         bacpy(&addr.l2_bdaddr, ba);
2003         addr.l2_family = AF_BLUETOOTH;
2004         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
2005         addr.l2_cid    = 0;
2006         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2007         if (err < 0) {
2008                 BT_ERR("Bind failed %d", err);
2009                 goto failed;
2010         }
2011
2012         /* Set L2CAP options */
2013         sk = sock->sk;
2014         lock_sock(sk);
2015         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2016         release_sock(sk);
2017
2018         /* Start listening on the socket */
2019         err = kernel_listen(sock, 10);
2020         if (err) {
2021                 BT_ERR("Listen failed %d", err);
2022                 goto failed;
2023         }
2024
2025         /* Add listening session */
2026         s = rfcomm_session_add(sock, BT_LISTEN);
2027         if (!s)
2028                 goto failed;
2029
2030         rfcomm_session_hold(s);
2031         return 0;
2032 failed:
2033         sock_release(sock);
2034         return err;
2035 }
2036
2037 static void rfcomm_kill_listener(void)
2038 {
2039         struct rfcomm_session *s;
2040         struct list_head *p, *n;
2041
2042         BT_DBG("");
2043
2044         list_for_each_safe(p, n, &session_list) {
2045                 s = list_entry(p, struct rfcomm_session, list);
2046                 rfcomm_session_del(s);
2047         }
2048 }
2049
2050 static int rfcomm_run(void *unused)
2051 {
2052         BT_DBG("");
2053
2054         set_user_nice(current, -10);
2055
2056         rfcomm_add_listener(BDADDR_ANY);
2057
2058         while (1) {
2059                 set_current_state(TASK_INTERRUPTIBLE);
2060
2061                 if (kthread_should_stop())
2062                         break;
2063
2064                 /* Process stuff */
2065                 rfcomm_process_sessions();
2066
2067                 schedule();
2068         }
2069         __set_current_state(TASK_RUNNING);
2070
2071         rfcomm_kill_listener();
2072
2073         return 0;
2074 }
2075
2076 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2077 {
2078         struct rfcomm_session *s;
2079         struct rfcomm_dlc *d;
2080         struct list_head *p, *n;
2081
2082         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2083
2084         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2085         if (!s)
2086                 return;
2087
2088         rfcomm_session_hold(s);
2089
2090         list_for_each_safe(p, n, &s->dlcs) {
2091                 d = list_entry(p, struct rfcomm_dlc, list);
2092
2093                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2094                         rfcomm_dlc_clear_timer(d);
2095                         if (status || encrypt == 0x00) {
2096                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2097                                 continue;
2098                         }
2099                 }
2100
2101                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2102                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2103                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2104                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2105                                 continue;
2106                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2107                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2108                                 continue;
2109                         }
2110                 }
2111
2112                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2113                         continue;
2114
2115                 if (!status && hci_conn_check_secure(conn, d->sec_level))
2116                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2117                 else
2118                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2119         }
2120
2121         rfcomm_session_put(s);
2122
2123         rfcomm_schedule();
2124 }
2125
2126 static struct hci_cb rfcomm_cb = {
2127         .name           = "RFCOMM",
2128         .security_cfm   = rfcomm_security_cfm
2129 };
2130
2131 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2132 {
2133         struct rfcomm_session *s;
2134
2135         rfcomm_lock();
2136
2137         list_for_each_entry(s, &session_list, list) {
2138                 struct rfcomm_dlc *d;
2139                 list_for_each_entry(d, &s->dlcs, list) {
2140                         struct sock *sk = s->sock->sk;
2141
2142                         seq_printf(f, "%s %s %ld %d %d %d %d\n",
2143                                                 batostr(&bt_sk(sk)->src),
2144                                                 batostr(&bt_sk(sk)->dst),
2145                                                 d->state, d->dlci, d->mtu,
2146                                                 d->rx_credits, d->tx_credits);
2147                 }
2148         }
2149
2150         rfcomm_unlock();
2151
2152         return 0;
2153 }
2154
2155 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2156 {
2157         return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2158 }
2159
2160 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2161         .open           = rfcomm_dlc_debugfs_open,
2162         .read           = seq_read,
2163         .llseek         = seq_lseek,
2164         .release        = single_release,
2165 };
2166
2167 static struct dentry *rfcomm_dlc_debugfs;
2168
2169 /* ---- Initialization ---- */
2170 static int __init rfcomm_init(void)
2171 {
2172         int err;
2173
2174         hci_register_cb(&rfcomm_cb);
2175
2176         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2177         if (IS_ERR(rfcomm_thread)) {
2178                 err = PTR_ERR(rfcomm_thread);
2179                 goto unregister;
2180         }
2181
2182         if (bt_debugfs) {
2183                 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2184                                 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2185                 if (!rfcomm_dlc_debugfs)
2186                         BT_ERR("Failed to create RFCOMM debug file");
2187         }
2188
2189         err = rfcomm_init_ttys();
2190         if (err < 0)
2191                 goto stop;
2192
2193         err = rfcomm_init_sockets();
2194         if (err < 0)
2195                 goto cleanup;
2196
2197         BT_INFO("RFCOMM ver %s", VERSION);
2198
2199         return 0;
2200
2201 cleanup:
2202         rfcomm_cleanup_ttys();
2203
2204 stop:
2205         kthread_stop(rfcomm_thread);
2206
2207 unregister:
2208         hci_unregister_cb(&rfcomm_cb);
2209
2210         return err;
2211 }
2212
2213 static void __exit rfcomm_exit(void)
2214 {
2215         debugfs_remove(rfcomm_dlc_debugfs);
2216
2217         hci_unregister_cb(&rfcomm_cb);
2218
2219         kthread_stop(rfcomm_thread);
2220
2221         rfcomm_cleanup_ttys();
2222
2223         rfcomm_cleanup_sockets();
2224 }
2225
2226 module_init(rfcomm_init);
2227 module_exit(rfcomm_exit);
2228
2229 module_param(disable_cfc, bool, 0644);
2230 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2231
2232 module_param(channel_mtu, int, 0644);
2233 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2234
2235 module_param(l2cap_mtu, uint, 0644);
2236 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2237
2238 module_param(l2cap_ertm, bool, 0644);
2239 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2240
2241 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2242 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2243 MODULE_VERSION(VERSION);
2244 MODULE_LICENSE("GPL");
2245 MODULE_ALIAS("bt-proto-3");